esp: don't reset async_len directly in esp_select() if cancelling request

Git-commit: 324c8809897c8c53ad05c3a7147d272f1711cd5e
References: bsc#1180433, CVE-2020-35504
            bsc#1180434, CVE-2020-35505
            bsc#1180435, CVE-2020-35506

Instead let the SCSI layer invoke the .cancel callback itself to cancel and
reset the request state.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210407195801.685-11-mark.cave-ayland@ilande.co.uk>
Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>

diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 0f88689eb8b0dfbec5654870f10ba8403fe7ab8d..8445ebdb1f14f911498289fb3c7375d8da2f4eb3 100644 (file)
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -93,6 +93,7 @@ void esp_request_cancelled(SCSIRequest *req)
         scsi_req_unref(s->current_req);
         s->current_req = NULL;
         s->current_dev = NULL;
+        s->async_len = 0;
     }
 }
 
@@ -133,7 +134,6 @@ static int get_cmd_cb(ESPState *s)
     if (s->current_req) {
         /* Started a new command before the old one finished.  Cancel it.  */
         scsi_req_cancel(s->current_req);
-        s->async_len = 0;
     }
 
     s->current_dev = scsi_device_find(&s->bus, 0, target, 0);