I think we should fix this anyway, even if it can only be triggered when trace functions are enabled
** Description changed: - close!!!!! + + In function megasas_handle_scsi(hw/scsi/megasas.c): + + ```c + static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd, + int frame_cmd) + { + ............................................................................ + cdb = cmd->frame->pass.cdb; + target_id = cmd->frame->header.target_id; + lun_id = cmd->frame->header.lun_id; + cdb_len = cmd->frame->header.cdb_len; + ............................................................................ + if (cdb_len > 16) { + trace_megasas_scsi_invalid_cdb_len( + mfi_frame_desc[frame_cmd], is_logical, + target_id, lun_id, cdb_len); + megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE)); + cmd->frame->header.scsi_status = CHECK_CONDITION; + s->event_count++; + return MFI_STAT_SCSI_DONE_WITH_ERROR; + } + } + ``` + + Two variables, frame_cmd and cdb_len, can be controlled by guest os. So + can mfi_frame_desc[frame_cmd] cause OOB bug ? -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1882065 Title: Could this cause OOB bug ? Status in QEMU: New Bug description: In function megasas_handle_scsi(hw/scsi/megasas.c): ```c static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd, int frame_cmd) { ............................................................................ cdb = cmd->frame->pass.cdb; target_id = cmd->frame->header.target_id; lun_id = cmd->frame->header.lun_id; cdb_len = cmd->frame->header.cdb_len; ............................................................................ if (cdb_len > 16) { trace_megasas_scsi_invalid_cdb_len( mfi_frame_desc[frame_cmd], is_logical, target_id, lun_id, cdb_len); megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE)); cmd->frame->header.scsi_status = CHECK_CONDITION; s->event_count++; return MFI_STAT_SCSI_DONE_WITH_ERROR; } } ``` Two variables, frame_cmd and cdb_len, can be controlled by guest os. So can mfi_frame_desc[frame_cmd] cause OOB bug ? To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1882065/+subscriptions