subject:"\[Qemu\-devel\] \[PULL 2\/2\] scsi\: Allocate SCSITargetReq r\->buf dynamically"

[Qemu-devel] [PULL 2/2] scsi: Allocate SCSITargetReq r->buf dynamically [CVE-2013-4344]

2013-10-09 Thread Paolo Bonzini

From: Asias He r->buf is hardcoded to 2056 which is (256 + 1) * 8, allowing 256 luns at most. If more than 256 luns are specified by user, we have buffer overflow in scsi_target_emulate_report_luns. To fix, we allocate the buffer dynamically. Signed-off-by: Asias He Tested-by: Michael Roth Si

[Qemu-devel] [PULL 2/2] scsi: Allocate SCSITargetReq r->buf dynamically

2013-10-09 Thread Paolo Bonzini

From: Asias He r->buf is hardcoded to 2056 which is (256 + 1) * 8, allowing 256 luns at most. If more than 256 luns are specified by user, we have buffer overflow in scsi_target_emulate_report_luns. To fix, we allocate the buffer dynamically. Signed-off-by: Asias He Tested-by: Michael Roth Si