scsi: Allocate SCSITargetReq r->buf dynamically [CVE-2013-4344]

r->buf is hardcoded to 2056 which is (256 + 1) * 8, allowing 256 luns at most. If more than 256 luns are specified by user, we have buffer overflow in scsi_target_emulate_report_luns. To fix, we allocate the buffer dynamically. Signed-off-by: Asias He <asias@redhat.com> Tested-by: Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
author: Asias He <asias@redhat.com> 2013-10-09 15:41:03 +0800
committer: Paolo Bonzini <pbonzini@redhat.com> 2013-10-09 17:24:18 +0200
commit: 846424350b292f16b732b573273a5c1f195cd7a3 (patch)
tree: 0a25400c33e0c31eac0c451debea9ec630357168 /include/hw/scsi
parent: 24c7608a5d973e5d562715998e9887f74deac794 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/include/hw/scsi/scsi.h b/include/hw/scsi/scsi.h
index 1b6651054a..76f6ac24a7 100644
--- a/include/hw/scsi/scsi.h
+++ b/include/hw/scsi/scsi.h
@@ -9,6 +9,8 @@
 #define MAX_SCSI_DEVS	255
 
 #define SCSI_CMD_BUF_SIZE     16
+#define SCSI_SENSE_LEN      18
+#define SCSI_INQUIRY_LEN    36
 
 typedef struct SCSIBus SCSIBus;
 typedef struct SCSIBusInfo SCSIBusInfo;
author	Asias He <asias@redhat.com>	2013-10-09 15:41:03 +0800
committer	Paolo Bonzini <pbonzini@redhat.com>	2013-10-09 17:24:18 +0200
commit	846424350b292f16b732b573273a5c1f195cd7a3 (patch)
tree	0a25400c33e0c31eac0c451debea9ec630357168 /include/hw/scsi
parent	24c7608a5d973e5d562715998e9887f74deac794 (diff)