scsi: do not report bogus overruns for commands in the 0x00-0x1F range

Interpreting cdb[4] == 0 as a request to transfer 256 blocks is only needed for READ_6 and WRITE_6. No other command in that range needs that special-casing, and the resulting overrun breaks scsi-testsuite's attempt to use command 2 as a known-invalid command. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2024-11-27 22:03:35 +08:00 · 2012-05-03 15:28:05 +02:00 · 2012-05-03 15:28:05 +02:00 · f62d059460
commit f62d059460
parent da8365dbab
1 changed files with 10 additions and 6 deletions
--- a/hw/scsi-bus.c
+++ b/hw/scsi-bus.c
@ -735,10 +735,6 @@ static int scsi_req_length(SCSICommand *cmd, SCSIDevice *dev, uint8_t *buf)
    case 0:
        cmd->xfer = buf[4];
        cmd->len = 6;
-        /* length 0 means 256 blocks */
-        if (cmd->xfer == 0) {
-            cmd->xfer = 256;
-        }
        break;
    case 1:
    case 2:
@ -808,18 +804,26 @@ static int scsi_req_length(SCSICommand *cmd, SCSIDevice *dev, uint8_t *buf)
            cmd->xfer = buf[9] | (buf[8] << 8);
        }
        break;
+    case WRITE_6:
+        /* length 0 means 256 blocks */
+        if (cmd->xfer == 0) {
+            cmd->xfer = 256;
+        }
    case WRITE_10:
    case WRITE_VERIFY_10:
-    case WRITE_6:
    case WRITE_12:
    case WRITE_VERIFY_12:
    case WRITE_16:
    case WRITE_VERIFY_16:
        cmd->xfer *= dev->blocksize;
        break;
-    case READ_10:
    case READ_6:
    case READ_REVERSE:
+        /* length 0 means 256 blocks */
+        if (cmd->xfer == 0) {
+            cmd->xfer = 256;
+        }
+    case READ_10:
    case RECOVER_BUFFERED_DATA:
    case READ_12:
    case READ_16: