[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] iscsi: Don't access non-existent scsi_lba_status_descriptor
From: |
Felipe Franciosi |
Subject: |
Re: [PATCH] iscsi: Don't access non-existent scsi_lba_status_descriptor |
Date: |
Thu, 23 Jan 2020 21:07:53 +0000 |
> On Jan 23, 2020, at 8:37 PM, John Snow <address@hidden> wrote:
>
>
>
> On 1/23/20 12:05 PM, Kevin Wolf wrote:
>> In iscsi_co_block_status(), we may have received num_descriptors == 0
>> from the iscsi server. Therefore, we can't unconditionally access
>> lbas->descriptors[0]. Add the missing check.
>>
>> Signed-off-by: Kevin Wolf <address@hidden>
>> ---
>> block/iscsi.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/block/iscsi.c b/block/iscsi.c
>> index cbd57294ab..c8feaa2f0e 100644
>> --- a/block/iscsi.c
>> +++ b/block/iscsi.c
>> @@ -753,7 +753,7 @@ retry:
>> }
>>
>> lbas = scsi_datain_unmarshall(iTask.task);
>> - if (lbas == NULL) {
>> + if (lbas == NULL || lbas->num_descriptors == 0) {
>> ret = -EIO;
>> goto out_unlock;
>> }
>>
>
> Naive question: Does the specification allow for such a response? Is
> this inherently an error?
The spec doesn't say, but libiscsi (which Qemu should trust) may
return zero for num_descriptors with certain server responses (which
no one should trust).
https://github.com/sahlberg/libiscsi/blob/master/lib/scsi-lowlevel.c#L845
F.
>
> Anyway, this is better than accessing junk memory, so:
>
> Reviewed-by: John Snow <address@hidden>