]> Git Repo - qemu.git/commit
projects / qemu.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 2a69314) | patch
megasas: use unsigned type for reply_queue_head and check index
authorPrasad J Pandit <[email protected]>
Wed, 13 May 2020 19:25:38 +0000 (00:55 +0530)
committerPaolo Bonzini <[email protected]>
Wed, 10 Jun 2020 16:10:12 +0000 (12:10 -0400)
commitf50ab86a2620bd7e8507af865b164655ee921661
tree26df3019b59b085903ae1e860d633057f67dfd84tree | snapshot
parent2a6931425890a9a2822e62f60724a9edbb93ba10commit | diff
megasas: use unsigned type for reply_queue_head and check index

A guest user may set 'reply_queue_head' field of MegasasState to
a negative value. Later in 'megasas_lookup_frame' it is used to
index into s->frames[] array. Use unsigned type to avoid OOB
access issue.

Also check that 'index' value stays within s->frames[] bounds
through the while() loop in 'megasas_lookup_frame' to avoid OOB
access.

Reported-by: Ren Ding <[email protected]>
Reported-by: Hanqing Zhao <[email protected]>
Reported-by: Alexander Bulekov <[email protected]>
Signed-off-by: Prasad J Pandit <[email protected]>
Acked-by: Alexander Bulekov <[email protected]>
Message-Id: <20200513192540.1583887[email protected]>
Signed-off-by: Paolo Bonzini <[email protected]>
hw/scsi/megasas.c diff | blob | blame | history
Empty description
This page took 0.025812 seconds and 4 git commands to generate.