diff mbox

scsi: mptsas: use g_new0 to allocate MPTSASRequest object

Message ID 1473684251-17476-1-git-send-email-ppandit@redhat.com (mailing list archive)
State New, archived
Headers show

Commit Message

Prasad Pandit Sept. 12, 2016, 12:44 p.m. UTC
From: Li Qiang <liqiang6-s@360.cn>

When processing IO request in mptsas, it uses g_new to allocate
a 'req' object. If an error occurs before 'req->sreq' is
allocated, It could lead to an OOB write in mptsas_free_request
function. Use g_new0 to avoid it.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 hw/scsi/mptsas.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Paolo Bonzini Sept. 12, 2016, 12:58 p.m. UTC | #1
On 12/09/2016 14:44, P J P wrote:
> From: Li Qiang <liqiang6-s@360.cn>
> 
> When processing IO request in mptsas, it uses g_new to allocate
> a 'req' object. If an error occurs before 'req->sreq' is
> allocated, It could lead to an OOB write in mptsas_free_request
> function. Use g_new0 to avoid it.
> 
> Reported-by: Li Qiang <liqiang6-s@360.cn>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>

Cc: qemu-stable@nongnu.org

Queued, thanks.

> ---
>  hw/scsi/mptsas.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
> index bebe513..7b02130 100644
> --- a/hw/scsi/mptsas.c
> +++ b/hw/scsi/mptsas.c
> @@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
>          goto bad;
>      }
>  
> -    req = g_new(MPTSASRequest, 1);
> +    req = g_new0(MPTSASRequest, 1);
>      QTAILQ_INSERT_TAIL(&s->pending, req, next);
>      req->scsi_io = *scsi_io;
>      req->dev = s;
>
diff mbox

Patch

diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
index bebe513..7b02130 100644
--- a/hw/scsi/mptsas.c
+++ b/hw/scsi/mptsas.c
@@ -304,7 +304,7 @@  static int mptsas_process_scsi_io_request(MPTSASState *s,
         goto bad;
     }
 
-    req = g_new(MPTSASRequest, 1);
+    req = g_new0(MPTSASRequest, 1);
     QTAILQ_INSERT_TAIL(&s->pending, req, next);
     req->scsi_io = *scsi_io;
     req->dev = s;