From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:53508)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <vpalatin@google.com>) id 1QlUQo-0004hA-B6
	for qemu-devel@nongnu.org; Mon, 25 Jul 2011 19:19:27 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <vpalatin@google.com>) id 1QlUQm-0000pM-QD
	for qemu-devel@nongnu.org; Mon, 25 Jul 2011 19:19:26 -0400
Received: from smtp-out.google.com ([74.125.121.67]:5138)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <vpalatin@google.com>) id 1QlUQm-0000p7-BK
	for qemu-devel@nongnu.org; Mon, 25 Jul 2011 19:19:24 -0400
From: Vincent Palatin <vpalatin@chromium.org>
Date: Mon, 25 Jul 2011 16:19:06 -0700
Message-Id: <1311635951-11047-3-git-send-email-vpalatin@chromium.org>
In-Reply-To: <1311635951-11047-1-git-send-email-vpalatin@chromium.org>
References: <1311635951-11047-1-git-send-email-vpalatin@chromium.org>
Subject: [Qemu-devel] [PATCH 2/7] sd: fix card size checking on R/W accesses
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Qemu devel <qemu-devel@nongnu.org>
Cc: Vincent Palatin <vpalatin@chromium.org>

We need to check that we are not crossing the boundaries of the card for
the current access not for the next one which might not happen.

Signed-off-by: Vincent Palatin <vpalatin@chromium.org>
---
 hw/sd.c |   22 ++++++++++++----------
 1 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/hw/sd.c b/hw/sd.c
index f48d589..de477fe 100644
--- a/hw/sd.c
+++ b/hw/sd.c
@@ -1451,11 +1451,6 @@ void sd_write_data(SDState *sd, uint8_t value)
         sd->data[sd->data_offset ++] = value;
         if (sd->data_offset >= sd->blk_len) {
             /* TODO: Check CRC before committing */
-            sd->state = sd_programming_state;
-            BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
-            sd->blk_written ++;
-            sd->data_start += sd->blk_len;
-            sd->data_offset = 0;
             if (sd->data_start + sd->blk_len > sd->size) {
                 sd->card_status |= ADDRESS_ERROR;
                 break;
@@ -1464,6 +1459,11 @@ void sd_write_data(SDState *sd, uint8_t value)
                 sd->card_status |= WP_VIOLATION;
                 break;
             }
+            sd->state = sd_programming_state;
+            BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
+            sd->blk_written ++;
+            sd->data_start += sd->blk_len;
+            sd->data_offset = 0;
             sd->csd[14] |= 0x40;
 
             /* Bzzzzzzztt .... Operation complete.  */
@@ -1606,17 +1606,19 @@ uint8_t sd_read_data(SDState *sd)
         break;
 
     case 18:	/* CMD18:  READ_MULTIPLE_BLOCK */
-        if (sd->data_offset == 0)
+        if (sd->data_offset == 0) {
+            if (sd->data_start + io_len > sd->size) {
+                sd->card_status |= ADDRESS_ERROR;
+                ret = 0;
+                break;
+            }
             BLK_READ_BLOCK(sd->data_start, io_len);
+        }
         ret = sd->data[sd->data_offset ++];
 
         if (sd->data_offset >= io_len) {
             sd->data_start += io_len;
             sd->data_offset = 0;
-            if (sd->data_start + io_len > sd->size) {
-                sd->card_status |= ADDRESS_ERROR;
-                break;
-            }
         }
         break;
 
-- 
1.7.3.1