-
Paolo Bonzini authoredAfter reading a PR IN command with zero request size in prh_read_request, the resp->result field will be uninitialized and the resp.sz field will be also uninitialized when returning to prh_co_entry. If resp->result == GOOD (from a previous successful reply or just luck), then the assert in prh_write_response might not be triggered and uninitialized response will be sent. The fix is to remove the whole handling of sz == 0 in prh_co_entry. Those errors apply only to PR OUT commands and it's perfectly okay to catch them later in do_pr_out and multipath_pr_out; the check for too-short parameters in fact doesn't apply in the easy SG_IO case, as it can be left to the target firmware even. The result is that prh_read_request does not fail requests anymore and prh_co_entry becomes simpler. Reported-by:
Dima Stepanov <dimastep@yandex-team.ru>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>Paolo Bonzini authoredAfter reading a PR IN command with zero request size in prh_read_request, the resp->result field will be uninitialized and the resp.sz field will be also uninitialized when returning to prh_co_entry. If resp->result == GOOD (from a previous successful reply or just luck), then the assert in prh_write_response might not be triggered and uninitialized response will be sent. The fix is to remove the whole handling of sz == 0 in prh_co_entry. Those errors apply only to PR OUT commands and it's perfectly okay to catch them later in do_pr_out and multipath_pr_out; the check for too-short parameters in fact doesn't apply in the easy SG_IO case, as it can be left to the target firmware even. The result is that prh_read_request does not fail requests anymore and prh_co_entry becomes simpler. Reported-by:
Dima Stepanov <dimastep@yandex-team.ru>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Loading