If cmdfifo contains ESP_CMDFIFO_SZ bytes and cmdfifo_cdb_offset is also
ESP_CMDFIFO_SZ then if the guest issues an ESP command sequence that invokes
esp_cdb_length(), scsi_cdb_length() can read one byte beyond the end of the
FIFO buffer.
Add an extra length check to esp_cdb_length() to prevent reading past the
end of the cmdfifo data in this case.
Reported-by: Chuhong Yuan <hsleste...@gmail.com>
Signed-off-by: Mark Cave-Ayland <mark.cave-ayl...@ilande.co.uk>
---
hw/scsi/esp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 0050493e18..05784b3f77 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -431,7 +431,8 @@ static int esp_cdb_length(ESPState *s)
int cmdlen, len;
cmdlen = fifo8_num_used(&s->cmdfifo);
- if (cmdlen == 0 || cmdlen < s->cmdfifo_cdb_offset) {
+ if (cmdlen == 0 || cmdlen < s->cmdfifo_cdb_offset ||
+ cmdlen >= ESP_CMDFIFO_SZ) {
return 0;
}
--
2.39.2
