Qemu crash when a guest linux issues specific scsi command via ioctl(SG_IO) with SCSI disk emulation.

As of git revision 362ca922eea03240916287a8a6267801ab095d12, when guest linux issues specifit scsi command, qemu crashes.

To reproduce.

1. launch qemu with scsi emulatoin
qemu-sysytem-i386.exe -kernel bzImage -drive file=rootfs.ext2,index=0,if=scsi -append root=/dev/sda -drive file=\\.\PhysicalDrive1,index=1,if=scsi
2. issues scsi command via ioctl(SG_IO) on guest linux. like below.

-------------------------
struct request_sense sens;
struct sg_io_hdr sg;
unsigned char cdb[6];
unsigned char buf[127];

memset( &sens, 0, sizeof(sens) );
memset(&sg, 0, sizeof(sg));
memset(cdb, 0, sizeof(cdb));
memset(buf, 0, sizeof(buf));

// qemu crash!!!
cdb[0] = 0xff;

sg.dxferp = buf;
sg.dxfer_len = sizeof(buf);
sg.dxfer_direction = SG_DXFER_FROM_DEV;
sg.flags = 0;
sg.interface_id = 'S';
sg.cmdp = cdb;
sg.cmd_len = sizeof( cdb );
sg.sbp = (unsigned char*)&sens;
sg.mx_sb_len = sizeof( sens );

ioctl( fd, SG_IO, &sg );
-------------------------

I think cause is below code.

scsi-bus.c L1239
int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf)
{
    int rc;

    cmd->lba = -1;
    cmd->len = scsi_cdb_length(buf);
    ...
    memcpy(cmd->buf, buf, cmd->len);
}

scsi_cdb_length(buf) returns -1 when buf[0] is unexpected value.
Then memcpy(cmd->buf, buf, 4294967295); is executed and crash.

Environment
Qemu: git revision 362ca922eea03240916287a8a6267801ab095d12
Guest: linux kernel 3.18.4 + buildroot
Host: Windows 7 64bit

Thanks,
hiroaki