diff options
Diffstat (limited to 'emulators/qemu/patches/patch-CVE-2016-7423')
| -rw-r--r-- | emulators/qemu/patches/patch-CVE-2016-7423 | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/emulators/qemu/patches/patch-CVE-2016-7423 b/emulators/qemu/patches/patch-CVE-2016-7423 new file mode 100644 index 00000000000..c4d42627700 --- /dev/null +++ b/emulators/qemu/patches/patch-CVE-2016-7423 @@ -0,0 +1,25 @@ +$NetBSD: patch-CVE-2016-7423,v 1.1.2.2 2016/11/07 19:11:35 bsiegert Exp $ + +from: +http://git.qemu.org/?p=qemu.git;a=commitdiff;h=670e56d3ed2918b3861d9216f2c0540d9e9ae0d5 + +scsi: mptsas: use g_new0 to allocate MPTSASRequest object + +When processing IO request in mptsas, it uses g_new to allocate +a 'req' object. If an error occurs before 'req->sreq' is +allocated, It could lead to an OOB write in mptsas_free_request +function. Use g_new0 to avoid it. + +Reported-by: Li Qiang <liqiang6-s@360.cn> + +--- hw/scsi/mptsas.c.orig 2016-09-02 15:34:20.000000000 +0000 ++++ hw/scsi/mptsas.c +@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_reques + goto bad; + } + +- req = g_new(MPTSASRequest, 1); ++ req = g_new0(MPTSASRequest, 1); + QTAILQ_INSERT_TAIL(&s->pending, req, next); + req->scsi_io = *scsi_io; + req->dev = s; |