From: Mauro Matteo Cascella <mcascell@redhat.com>
Date: Thu, 24 Dec 2020 17:54:41 +0000 (+0100)
Subject: hw/scsi/megasas: check for NULL frame in megasas_command_cancelled()
X-Git-Tag: upstream/4.2.1~40
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=ea8f95813979aa76158ee1f7ebb8479794c68d67;p=tools%2Fqemu-arm-static.git

hw/scsi/megasas: check for NULL frame in megasas_command_cancelled()

Git-commit: 00000000000000000000000000000000000000000000
References: bsc#1180432, CVE-2020-35503

Ensure that 'cmd->frame' is not NULL before accessing the 'header' field.
This check prevents a potential NULL pointer dereference issue.

RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1910346
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
Acked-By: Jose R Ziviani <jose.ziviani@suse.com>
---

diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index 1bdd25e55..376ac1f0c 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -1884,7 +1884,7 @@ static void megasas_command_cancelled(SCSIRequest *req)
 {
     MegasasCmd *cmd = req->hba_private;
 
-    if (!cmd) {
+    if (!cmd || !cmd->frame) {
         return;
     }
     cmd->frame->header.cmd_status = MFI_STAT_SCSI_IO_FAILED;