[v1] hw/scsi/spapr_vscsi: Fix time bomb zero-length array use

[PATCH 0/5] hw/scsi/spapr_vscsi: Fix time bomb zero-length array use

Philippe Mathieu-Daudé posted 5 patches 5 years, 8 months ago

Diff against v2 v3
Download series mbox

Test docker-quick@centos7 passed

Test FreeBSD passed

Test docker-mingw@fedora passed

Test checkpatch passed

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20200304153311.22959-1-philmd@redhat.com

Maintainers: Fam Zheng <fam@euphon.net>, David Gibson <david@gibson.dropbear.id.au>, Paolo Bonzini <pbonzini@redhat.com>

There is a newer version of this series

hw/scsi/viosrp.h      |  4 ++-
hw/scsi/spapr_vscsi.c | 60 ++++++++++++++++++++++++-------------------
2 files changed, 37 insertions(+), 27 deletions(-)

Expand all Fold all

[PATCH 0/5] hw/scsi/spapr_vscsi: Fix time bomb zero-length array use

Posted by Philippe Mathieu-Daudé 5 years, 8 months ago

This series fixes a dangerous zero-length array use.
Simples patches first to clean the issue in the last patch:
dissociate the buffer holding DMA requests with pointer to
SRP Information Unit packets.

Philippe Mathieu-Daudé (5):
  hw/scsi/viosrp: Add missing 'hw/scsi/srp.h' include
  hw/scsi/spapr_vscsi: Use SRP_MAX_IU_LEN instead of sizeof flexible
    array
  hw/scsi/spapr_vscsi: Simplify a bit
  hw/scsi/spapr_vscsi: Introduce req_ui() helper
  hw/scsi/spapr_vscsi: Do not mix SRP IU size with DMA buffer size

 hw/scsi/viosrp.h      |  4 ++-
 hw/scsi/spapr_vscsi.c | 60 ++++++++++++++++++++++++-------------------
 2 files changed, 37 insertions(+), 27 deletions(-)

-- 
2.21.1