From: P J P <[email protected]> While processing controller 'CTRL_GET_INFO' command, the routine 'megasas_ctrl_get_info' overflows the '&info' object size. Use its appropriate size to null initialise it.
Reported-by: Qinghao Tang <[email protected]> Signed-off-by: Prasad J Pandit <[email protected]> Message-Id: <alpine.LFD.2.20.1512211501420.22471@wniryva> Cc: [email protected] Signed-off-by: Paolo Bonzini <[email protected]> Signed-off-by: P J P <[email protected]> (cherry picked from commit 36fef36b91f7ec0435215860f1458b5342ce2811) Signed-off-by: Michael Roth <[email protected]> --- hw/scsi/megasas.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c index d7dc667..576f56c 100644 --- a/hw/scsi/megasas.c +++ b/hw/scsi/megasas.c @@ -718,7 +718,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd) BusChild *kid; int num_pd_disks = 0; - memset(&info, 0x0, cmd->iov_size); + memset(&info, 0x0, dcmd_size); if (cmd->iov_size < dcmd_size) { trace_megasas_dcmd_invalid_xfer_len(cmd->index, cmd->iov_size, dcmd_size); -- 1.9.1
