iscsi: Don't blindly use designator length in response for memcpy

Per SCSI definition the designator_length we receive from INQUIRY is 8, 12 or at most 16, but we should be careful because the remote iscsi target may misbehave, otherwise we could have a buffer overflow. Reported-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Fam Zheng <famz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
author: Fam Zheng <famz@redhat.com> 2018-06-29 14:03:27 +0800
committer: Kevin Wolf <kwolf@redhat.com> 2018-06-29 14:20:56 +0200
commit: 1439b9c11002348eb80fcd3c90f07bf0f4f088dc (patch)
tree: 0cbfeb4b9c895027927b85690eefd4cee4056121 /block/iscsi.c
parent: e06f4639d8a93703eecc3aad06c8a3e9b2ef4968 (diff)
download: qemu-1439b9c11002348eb80fcd3c90f07bf0f4f088dc.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/block/iscsi.c b/block/iscsi.c
index bc84b14e20..9beb06d498 100644
--- a/block/iscsi.c
+++ b/block/iscsi.c
@@ -2226,7 +2226,7 @@ static void iscsi_populate_target_desc(unsigned char *desc, IscsiLun *lun)
     desc[5] = (dd->designator_type & 0xF)
         | ((dd->association & 3) << 4);
     desc[7] = dd->designator_length;
-    memcpy(desc + 8, dd->designator, dd->designator_length);
+    memcpy(desc + 8, dd->designator, MIN(dd->designator_length, 20));
 
     desc[28] = 0;
     desc[29] = (lun->block_size >> 16) & 0xFF;
author	Fam Zheng <famz@redhat.com>	2018-06-29 14:03:27 +0800
committer	Kevin Wolf <kwolf@redhat.com>	2018-06-29 14:20:56 +0200
commit	1439b9c11002348eb80fcd3c90f07bf0f4f088dc (patch)
tree	0cbfeb4b9c895027927b85690eefd4cee4056121 /block/iscsi.c
parent	e06f4639d8a93703eecc3aad06c8a3e9b2ef4968 (diff)
download	qemu-1439b9c11002348eb80fcd3c90f07bf0f4f088dc.zip