On Fri, Jun 15, 2018 at 12:11:44PM +0300, Dima Stepanov wrote: > The prh_co_entry() routine handles requests. The first part is to read a > request by calling the prh_read_request() routine, if: > 1. scsi_cdb_xfer(req->cdb) call returns 0, and > 2. req->cdb[0] == PERSISTENT_RESERVE_IN, then > The resp->result field will be uninitialized. As a result the resp.sz > field will be also uninitialized in the prh_co_entry() function. > The second part is to send the response by calling the > prh_write_response() routine: > 1. For the PERSISTENT_RESERVE_IN command, and > 2. resp->result == GOOD (previous successful reply or just luck), then > There is a probability that the following assert will not be trigered: > assert(resp->sz <= req->sz && resp->sz <= sizeof(client->data)); > As a result some uninitialized response will be sent. > > The fix is to initialize the response structure to CHECK_CONDITION and 0 > values before calling the prh_read_request() routine. > > Signed-off-by: Dima Stepanov <[email protected]> > --- > scsi/qemu-pr-helper.c | 2 ++ > 1 file changed, 2 insertions(+)
CCing Paolo Bonzini, SCSI maintainer.
You can use scripts/get_maintainer.pl -f scsi/qemu-pr-helper.c to find
relevant people to CC on a patch.
>
> diff --git a/scsi/qemu-pr-helper.c b/scsi/qemu-pr-helper.c
> index d0f8317..85878c2 100644
> --- a/scsi/qemu-pr-helper.c
> +++ b/scsi/qemu-pr-helper.c
> @@ -768,6 +768,8 @@ static void coroutine_fn prh_co_entry(void *opaque)
> PRHelperResponse resp;
> int sz;
>
> + resp.result = CHECK_CONDITION;
> + resp.sz = 0;
> sz = prh_read_request(client, &req, &resp, &local_err);
> if (sz < 0) {
> break;
> --
> 2.7.4
>
>
signature.asc
Description: PGP signature
