Commit 6c8fa961 authored by Mauro Matteo Cascella's avatar Mauro Matteo Cascella Committed by Paolo Bonzini
Browse files

scsi/lsi53c895a: fix use-after-free in lsi_do_msgout (CVE-2022-0216)

Set current_req->req to NULL to prevent reusing a free'd buffer in case of
repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch.

Fixes: CVE-2022-0216
Resolves: #972

Signed-off-by: Mauro Matteo Cascella's avatarMauro Matteo Cascella <>
Reviewed-by: Thomas Huth's avatarThomas Huth <>
Message-Id: <>
Signed-off-by: Paolo Bonzini's avatarPaolo Bonzini <>
parent 170ed475
......@@ -1028,8 +1028,9 @@ static void lsi_do_msgout(LSIState *s)
case 0x0d:
/* The ABORT TAG message clears the current I/O process only. */
if (current_req) {
if (current_req && current_req->req) {
current_req->req = NULL;
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment