3a13ddd514
CVE-2016-7156: pvscsi: infinite loop when building SG list (bz #1373480) CVE-2016-7156: pvscsi: infinite loop when processing IO requests (bz #1373480) CVE-2016-7170: vmware_vga: OOB stack memory access (bz #1374709) CVE-2016-7157: mptsas: invalid memory access (bz #1373505) CVE-2016-7466: usb: xhci memory leakage during device unplug (bz #1377838) CVE-2016-7423: scsi: mptsas: OOB access (bz #1376777) CVE-2016-7422: virtio: null pointer dereference (bz #1376756) CVE-2016-7908: net: Infinite loop in mcf_fec_do_tx (bz #1381193) CVE-2016-8576: usb: xHCI: infinite loop vulnerability (bz #1382322) CVE-2016-7995: usb: hcd-ehci: memory leak (bz #1382669)
34 lines
1.2 KiB
Diff
34 lines
1.2 KiB
Diff
From: Prasad J Pandit <pjp@fedoraproject.org>
|
|
Date: Wed, 31 Aug 2016 17:36:07 +0530
|
|
Subject: [PATCH] scsi: mptconfig: fix an assert expression
|
|
|
|
When LSI SAS1068 Host Bus emulator builds configuration page
|
|
headers, mptsas_config_pack() should assert that the size
|
|
fits in a byte. However, the size is expressed in 32-bit
|
|
units, so up to 1020 bytes fit. The assertion was only
|
|
allowing replies up to 252 bytes, so fix it.
|
|
|
|
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
Message-Id: <1472645167-30765-2-git-send-email-ppandit@redhat.com>
|
|
Cc: qemu-stable@nongnu.org
|
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
(cherry picked from commit cf2bce203a45d7437029d108357fb23fea0967b6)
|
|
---
|
|
hw/scsi/mptconfig.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
|
|
index 7071854..3e4f400 100644
|
|
--- a/hw/scsi/mptconfig.c
|
|
+++ b/hw/scsi/mptconfig.c
|
|
@@ -158,7 +158,7 @@ static size_t mptsas_config_pack(uint8_t **data, const char *fmt, ...)
|
|
va_end(ap);
|
|
|
|
if (data) {
|
|
- assert(ret < 256 && (ret % 4) == 0);
|
|
+ assert(ret / 4 < 256 && (ret % 4) == 0);
|
|
stb_p(*data + 1, ret / 4);
|
|
}
|
|
return ret;
|