vhost_scsi: validate length of virtio descriptors

		*desc_table = spdk_vhost_gpa_to_vva(vdev, (*desc)->addr);

		*desc_table_size = (*desc)->len / sizeof(**desc);

		*desc = *desc_table;

		if (*desc == NULL) {

			return -1;

		}

		return 0;

	}

 * table.

 * \param desc_table_size size of the *desc_table*

 * \return 0 on success, -1 if given index is invalid.

 * If -1 is returned, the params won't be changed.

 * If -1 is returned, the content of params is undefined.

 */

int spdk_vhost_vq_get_desc(struct spdk_vhost_dev *vdev, struct spdk_vhost_virtqueue *vq,

			   uint16_t req_idx, struct vring_desc **desc, struct vring_desc **desc_table,

	switch (ctrl_req->type) {

	case VIRTIO_SCSI_T_TMF:

		task->tmf_resp = spdk_vhost_gpa_to_vva(vdev, desc->addr);

		if (spdk_unlikely(desc->len < sizeof(struct virtio_scsi_ctrl_tmf_resp) || task->tmf_resp == NULL)) {

			SPDK_ERRLOG("%s: TMF response descriptor at index %d points to invalid guest memory region\n",

				    vdev->name, task->req_idx);

			goto out;

		}

		/* Check if we are processing a valid request */

		if (task->scsi_dev == NULL) {

	case VIRTIO_SCSI_T_AN_QUERY:

	case VIRTIO_SCSI_T_AN_SUBSCRIBE: {

		an_resp = spdk_vhost_gpa_to_vva(vdev, desc->addr);

		if (spdk_unlikely(desc->len < sizeof(struct virtio_scsi_ctrl_an_resp) || an_resp == NULL)) {

			SPDK_WARNLOG("%s: Asynchronous response descriptor points to invalid guest memory region\n",

				     vdev->name);

			goto out;

		}

		an_resp->response = VIRTIO_SCSI_S_ABORTED;

		break;

	}

	rc = spdk_vhost_vq_get_desc(vdev, task->vq, task->req_idx, &desc, &desc_table, &desc_table_len);

	/* First descriptor must be readable */

	if (rc != 0 || spdk_unlikely(spdk_vhost_vring_desc_is_wr(desc))) {

	if (spdk_unlikely(rc != 0  || spdk_vhost_vring_desc_is_wr(desc) ||

			  desc->len < sizeof(struct virtio_scsi_cmd_req))) {

		SPDK_WARNLOG("%s: invalid first (request) descriptor at index %"PRIu16".\n",

			     vdev->name, task->req_idx);

		goto invalid_task;

	}

	*req = spdk_vhost_gpa_to_vva(vdev, desc->addr);

	if (spdk_unlikely(*req == NULL)) {

		SPDK_WARNLOG("%s: Request descriptor at index %d points to invalid guest memory region\n",

			     vdev->name, task->req_idx);

		goto invalid_task;

	}

	/* Each request must have at least 2 descriptors (e.g. request and response) */

	spdk_vhost_vring_desc_get_next(&desc, desc_table, desc_table_len);

		 * FROM_DEV (READ): [RD_req][WR_resp][WR_buf0]...[WR_bufN]

		 */

		task->resp = spdk_vhost_gpa_to_vva(vdev, desc->addr);

		if (spdk_unlikely(desc->len < sizeof(struct virtio_scsi_cmd_resp) || task->resp == NULL)) {

			SPDK_WARNLOG("%s: Response descriptor at index %d points to invalid guest memory region\n",

				     vdev->name, task->req_idx);

			goto invalid_task;

		}

		rc = spdk_vhost_vring_desc_get_next(&desc, desc_table, desc_table_len);

		if (spdk_unlikely(rc != 0)) {

			SPDK_WARNLOG("%s: invalid descriptor chain at request index %d (descriptor id overflow?).\n",

		}

		task->resp = spdk_vhost_gpa_to_vva(vdev, desc->addr);

		if (spdk_unlikely(desc->len < sizeof(struct virtio_scsi_cmd_resp) || task->resp == NULL)) {

			SPDK_WARNLOG("%s: Response descriptor at index %d points to invalid guest memory region\n",

				     vdev->name, task->req_idx);

			goto invalid_task;

		}

	}

	if (iovcnt == iovcnt_max) {