Hi, while working at the iSCSI code in Qemu I came across the following line in iscsi_aio_ioctl
memcpy(&acb->task->cdb[0], acb->ioh->cmdp, acb->ioh->cmd_len); Is there anything to ensure that the cmd_len is valid when the requests is e.g. coming in via virtio_blk_handle_scsi ? It seems that virtio-scsi does not allow to pass ioctls directly from Guest, but at least virtio-blk does. And in virtio-blk it seems the data is blindly copied from elem->out_sg[1]. So it would be possible to overflow the acb->task->cdb. Or am I wrong here? Peter
