* [Qemu-devel] [PATCH v2] scsi-disk: handle invalid cdb length
@ 2019-04-30 13:19 ` Bruce Rogers
0 siblings, 0 replies; 5+ messages in thread
From: Bruce Rogers @ 2019-04-30 13:19 UTC (permalink / raw)
To: qemu-devel; +Cc: pbonzini, fam, Bruce Rogers
While investigating link-time-optimization, the compiler flagged this
case of not handling the error return from scsi_cdb_length(). Handle
this error case with a trace report.
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/scsi-disk.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
index e7e865ab3b..8fbf7512e5 100644
--- a/hw/scsi/scsi-disk.c
+++ b/hw/scsi/scsi-disk.c
@@ -2520,6 +2520,10 @@ static void scsi_disk_new_request_dump(uint32_t lun, uint32_t tag, uint8_t *buf)
int len = scsi_cdb_length(buf);
char *line_buffer, *p;
+ if (len < 0) {
+ trace_scsi_disk_new_request(lun, tag, "bad cdb length");
+ return;
+ }
line_buffer = g_malloc(len * 5 + 1);
for (i = 0, p = line_buffer; i < len; i++) {
--
2.21.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Qemu-devel] [PATCH v2] scsi-disk: handle invalid cdb length
@ 2019-04-30 13:19 ` Bruce Rogers
0 siblings, 0 replies; 5+ messages in thread
From: Bruce Rogers @ 2019-04-30 13:19 UTC (permalink / raw)
To: qemu-devel; +Cc: fam, pbonzini, Bruce Rogers
While investigating link-time-optimization, the compiler flagged this
case of not handling the error return from scsi_cdb_length(). Handle
this error case with a trace report.
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/scsi-disk.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
index e7e865ab3b..8fbf7512e5 100644
--- a/hw/scsi/scsi-disk.c
+++ b/hw/scsi/scsi-disk.c
@@ -2520,6 +2520,10 @@ static void scsi_disk_new_request_dump(uint32_t lun, uint32_t tag, uint8_t *buf)
int len = scsi_cdb_length(buf);
char *line_buffer, *p;
+ if (len < 0) {
+ trace_scsi_disk_new_request(lun, tag, "bad cdb length");
+ return;
+ }
line_buffer = g_malloc(len * 5 + 1);
for (i = 0, p = line_buffer; i < len; i++) {
--
2.21.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH v2] scsi-disk: handle invalid cdb length
2019-04-30 13:19 ` Bruce Rogers
(?)
@ 2019-04-30 20:40 ` John Snow
2019-05-01 16:21 ` Bruce Rogers
-1 siblings, 1 reply; 5+ messages in thread
From: John Snow @ 2019-04-30 20:40 UTC (permalink / raw)
To: Bruce Rogers, qemu-devel; +Cc: fam, pbonzini
On 4/30/19 9:19 AM, Bruce Rogers wrote:
> While investigating link-time-optimization, the compiler flagged this
> case of not handling the error return from scsi_cdb_length(). Handle
> this error case with a trace report.
>
> Signed-off-by: Bruce Rogers <brogers@suse.com>
> ---
> hw/scsi/scsi-disk.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
> index e7e865ab3b..8fbf7512e5 100644
> --- a/hw/scsi/scsi-disk.c
> +++ b/hw/scsi/scsi-disk.c
> @@ -2520,6 +2520,10 @@ static void scsi_disk_new_request_dump(uint32_t lun, uint32_t tag, uint8_t *buf)
> int len = scsi_cdb_length(buf);
> char *line_buffer, *p;
>
> + if (len < 0) {
> + trace_scsi_disk_new_request(lun, tag, "bad cdb length");
This is going to print:
"Command: lun=%d tag=0x%x data=bad cdb length"
which is maybe not the best. I'd rather print something more direct, but
it's probably better than actually rolling forward with len = -1.
Then again, this should literally never happen, because scsi_req_new is
parsing the cdb object and already rejecting such cases.
Can you satisfy the compiler by asserting that it is greater than zero?
It ought to be provably true.
--js
> + return;
> + }
> line_buffer = g_malloc(len * 5 + 1);
>
> for (i = 0, p = line_buffer; i < len; i++) {
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH v2] scsi-disk: handle invalid cdb length
@ 2019-05-01 16:21 ` Bruce Rogers
0 siblings, 0 replies; 5+ messages in thread
From: Bruce Rogers @ 2019-05-01 16:21 UTC (permalink / raw)
To: qemu-devel, jsnow; +Cc: fam, Paolo Bonzini
>>> On 4/30/2019 at 2:40 PM, John Snow <jsnow@redhat.com> wrote:
>
> On 4/30/19 9:19 AM, Bruce Rogers wrote:
>> While investigating link-time-optimization, the compiler flagged this
>> case of not handling the error return from scsi_cdb_length(). Handle
>> this error case with a trace report.
>>
>> Signed-off-by: Bruce Rogers <brogers@suse.com>
>> ---
>> hw/scsi/scsi-disk.c | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
>> index e7e865ab3b..8fbf7512e5 100644
>> --- a/hw/scsi/scsi-disk.c
>> +++ b/hw/scsi/scsi-disk.c
>> @@ -2520,6 +2520,10 @@ static void scsi_disk_new_request_dump(uint32_t lun,
> uint32_t tag, uint8_t *buf)
>> int len = scsi_cdb_length(buf);
>> char *line_buffer, *p;
>>
>> + if (len < 0) {
>> + trace_scsi_disk_new_request(lun, tag, "bad cdb length");
>
> This is going to print:
>
> "Command: lun=%d tag=0x%x data=bad cdb length"
>
> which is maybe not the best. I'd rather print something more direct, but
> it's probably better than actually rolling forward with len = -1.
>
> Then again, this should literally never happen, because scsi_req_new is
> parsing the cdb object and already rejecting such cases.
>
Indeed, that is true.
> Can you satisfy the compiler by asserting that it is greater than zero?
> It ought to be provably true.
Yes, that seems to work and is probably the way to go. I'll send a patch
with that approach then. Thanks for the review.
>
> --js
>
>> + return;
>> + }
>> line_buffer = g_malloc(len * 5 + 1);
>>
>> for (i = 0, p = line_buffer; i < len; i++) {
>>
Bruce
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH v2] scsi-disk: handle invalid cdb length
@ 2019-05-01 16:21 ` Bruce Rogers
0 siblings, 0 replies; 5+ messages in thread
From: Bruce Rogers @ 2019-05-01 16:21 UTC (permalink / raw)
To: qemu-devel, jsnow; +Cc: fam, Paolo Bonzini
>>> On 4/30/2019 at 2:40 PM, John Snow <jsnow@redhat.com> wrote:
>
> On 4/30/19 9:19 AM, Bruce Rogers wrote:
>> While investigating link-time-optimization, the compiler flagged this
>> case of not handling the error return from scsi_cdb_length(). Handle
>> this error case with a trace report.
>>
>> Signed-off-by: Bruce Rogers <brogers@suse.com>
>> ---
>> hw/scsi/scsi-disk.c | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
>> index e7e865ab3b..8fbf7512e5 100644
>> --- a/hw/scsi/scsi-disk.c
>> +++ b/hw/scsi/scsi-disk.c
>> @@ -2520,6 +2520,10 @@ static void scsi_disk_new_request_dump(uint32_t lun,
> uint32_t tag, uint8_t *buf)
>> int len = scsi_cdb_length(buf);
>> char *line_buffer, *p;
>>
>> + if (len < 0) {
>> + trace_scsi_disk_new_request(lun, tag, "bad cdb length");
>
> This is going to print:
>
> "Command: lun=%d tag=0x%x data=bad cdb length"
>
> which is maybe not the best. I'd rather print something more direct, but
> it's probably better than actually rolling forward with len = -1.
>
> Then again, this should literally never happen, because scsi_req_new is
> parsing the cdb object and already rejecting such cases.
>
Indeed, that is true.
> Can you satisfy the compiler by asserting that it is greater than zero?
> It ought to be provably true.
Yes, that seems to work and is probably the way to go. I'll send a patch
with that approach then. Thanks for the review.
>
> --js
>
>> + return;
>> + }
>> line_buffer = g_malloc(len * 5 + 1);
>>
>> for (i = 0, p = line_buffer; i < len; i++) {
>>
Bruce
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-05-01 16:20 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-30 13:19 [Qemu-devel] [PATCH v2] scsi-disk: handle invalid cdb length Bruce Rogers
2019-04-30 13:19 ` Bruce Rogers
2019-04-30 20:40 ` John Snow
2019-05-01 16:21 ` Bruce Rogers
2019-05-01 16:21 ` Bruce Rogers
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.