mirror of
https://github.com/mii443/qemu.git
synced 2025-08-23 23:49:36 +00:00
961c74a841
This is a guest-triggerable buffer overflow present in QEMU 2.2.0 and newer. scsi_cdb_length returns -1 as an error value, but the caller does not check it. Luckily, the massive overflow means that QEMU will just SIGSEGV, making the impact much smaller. Reported-by: Zhu Donghai (朱东海) <donghai.zdh@alibaba-inc.com> Fixes:1894df0281Reviewed-by: Fam Zheng <famz@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commitc170aad8b0) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>