Hello Paolo, +-- On Tue, 6 Sep 2016, Paolo Bonzini wrote --+ | The commit message is not correct, because you're fixing the bug in two | different ways: by removing the cast and by limiting the number of | iterations in the loop.
Ah, yes; Sorry about that. | --- | In PVSCSI paravirtual SCSI bus, pvscsi_convert_sglist can take a very | long time or go into an infinite loop due to two different bugs: | | 1) the request descriptor data length is defined to be 64 bit. While | building SG list from a request descriptor, it gets truncated to 32bit | in routine 'pvscsi_convert_sglist'. This could lead to an infinite loop | situation large 'dataLen' values when data_length is cast to uint32_t | and chunk_size becomes always zero. Fix this by removing the incorrect | cast. | | 2) pvscsi_get_next_sg_elem can be called arbitrarily many times if the | element has a zero length. Get out of the loop early when this happens, | by introducing an upper limit on the number of SG list elements. | --- Done; I've sent a revised patch v3 with this commit message. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
