hw/scsi/megasas: check for NULL frame in megasas_command_cancelled()

Git-commit: 00000000000000000000000000000000000000000000
References: bsc#1180432, CVE-2020-35503

Ensure that 'cmd->frame' is not NULL before accessing the 'header' field.
This check prevents a potential NULL pointer dereference issue.

RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1910346
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
Acked-By: Jose R Ziviani <jose.ziviani@suse.com>

diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index 1bdd25e55684c7b6026381a97f3ea782293abafa..376ac1f0c238e7bf86a294fa10e18b35bed73411 100644 (file)
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -1884,7 +1884,7 @@ static void megasas_command_cancelled(SCSIRequest *req)
 {
     MegasasCmd *cmd = req->hba_private;
 
-    if (!cmd) {
+    if (!cmd || !cmd->frame) {
         return;
     }
     cmd->frame->header.cmd_status = MFI_STAT_SCSI_IO_FAILED;