From 9792654499f4c21ec25156d8390396717e1d8e2f Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Wed, 22 Feb 2012 14:11:31 +0100
Subject: [PATCH 015/109] scsi: do not overwrite memory on REQUEST SENSE
 commands with a large buffer

RH-Author: Paolo Bonzini <pbonzini@redhat.com>
Message-id: <1329919979-20948-15-git-send-email-pbonzini@redhat.com>
Patchwork-id: 37498
O-Subject: [RHEL 6.3 qemu-kvm PATCH v2 014/102] scsi: do not overwrite memory on REQUEST SENSE commands with a large buffer
Bugzilla: 782029
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Orit Wasserman <owasserm@redhat.com>

Other scsi_target_reqops commands were careful about not using r->cmd.xfer
directly, and instead always cap it to a fixed length.  This was not done
for REQUEST SENSE, and this patch fixes it.

Reported-by: Blue Swirl <blauwirbel@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
(cherry picked from 8b2a04eeb95212305d3a39170e1c4bc3dbe45e8a)
---
 hw/scsi-bus.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

Signed-off-by: Michal Novotny <minovotn@redhat.com>
---
 hw/scsi-bus.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/hw/scsi-bus.c b/hw/scsi-bus.c
index 08d9ff4..d053b58 100644
--- a/hw/scsi-bus.c
+++ b/hw/scsi-bus.c
@@ -274,7 +274,8 @@ static int32_t scsi_target_send_command(SCSIRequest *req, uint8_t *buf)
         if (req->cmd.xfer < 4) {
             goto illegal_request;
         }
-        r->len = scsi_device_get_sense(r->req.dev, r->buf, req->cmd.xfer,
+        r->len = scsi_device_get_sense(r->req.dev, r->buf,
+                                       MIN(req->cmd.xfer, sizeof r->buf),
                                        (req->cmd.buf[1] & 1) == 0);
         break;
     default:
-- 
1.7.7.6