Skip to content

Commit

Permalink
scsi: Silence gcc warning
Browse files Browse the repository at this point in the history 
On Fedora 33, gcc 10.2.1 notes that scsi_cdb_length(buf) can set
len==-1, which in turn overflows g_malloc():

[5/5] Linking target qemu-system-x86_64
In function ‘scsi_disk_new_request_dump’,
    inlined from ‘scsi_new_request’ at ../hw/scsi/scsi-disk.c:2608:9:
../hw/scsi/scsi-disk.c:2582:19: warning: argument 1 value ‘18446744073709551612’ exceeds maximum object size 9223372036854775807 [-Walloc-size-larger-than=]
 2582 |     line_buffer = g_malloc(len * 5 + 1);
      |                   ^

Silence it with a decent assertion, since we only convert a buffer to
bytes when we have a valid cdb length.

Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20210209152350.207958-1-eblake@redhat.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
  • Loading branch information
@ebblake @vivier
ebblake authored and vivier committed Mar 9, 2021
1 parent cba42d6 commit e91bae8
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions hw/scsi/scsi-disk.c
View file
Expand Up @@ -2565,6 +2565,7 @@ static void scsi_disk_new_request_dump(uint32_t lun, uint32_t tag, uint8_t *buf)
int len = scsi_cdb_length(buf);
char *line_buffer, *p;

assert(len > 0 && len <= 16);
line_buffer = g_malloc(len * 5 + 1);

for (i = 0, p = line_buffer; i < len; i++) {
Expand Down

0 comments on commit e91bae8

Please sign in to comment.