The prh_co_entry() routine handles requests. The first part is to read a request by calling the prh_read_request() routine, if: 1. scsi_cdb_xfer(req->cdb) call returns 0, and 2. req->cdb[0] == PERSISTENT_RESERVE_IN, then The resp->result field will be uninitialized. As a result the resp.sz field will be also uninitialized in the prh_co_entry() function. The second part is to send the response by calling the prh_write_response() routine: 1. For the PERSISTENT_RESERVE_IN command, and 2. resp->result == GOOD (previous successful reply or just luck), then There is a probability that the following assert will not be trigered: assert(resp->sz <= req->sz && resp->sz <= sizeof(client->data)); As a result some uninitialized response will be sent.
The fix is to initialize the response structure to CHECK_CONDITION and 0 values before calling the prh_read_request() routine. Signed-off-by: Dima Stepanov <dimas...@yandex-team.ru> --- scsi/qemu-pr-helper.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scsi/qemu-pr-helper.c b/scsi/qemu-pr-helper.c index d0f8317..85878c2 100644 --- a/scsi/qemu-pr-helper.c +++ b/scsi/qemu-pr-helper.c @@ -768,6 +768,8 @@ static void coroutine_fn prh_co_entry(void *opaque) PRHelperResponse resp; int sz; + resp.result = CHECK_CONDITION; + resp.sz = 0; sz = prh_read_request(client, &req, &resp, &local_err); if (sz < 0) { break; -- 2.7.4