* [Qemu-devel] [PATCH v2] scsi: esp: check length before dma read
@ 2016-06-15 12:08 P J P
0 siblings, 0 replies; only message in thread
From: P J P @ 2016-06-15 12:08 UTC (permalink / raw)
To: Qemu Developers; +Cc: Paolo Bonzini, Li Qiang, Prasad J Pandit
From: Prasad J Pandit <pjp@fedoraproject.org>
While doing DMA read into ESP command buffer 's->cmdbuf', the
length parameter could exceed the buffer size. Add check to avoid
OOB access.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
hw/scsi/esp.c | 3 +++
1 file changed, 3 insertions(+)
Update:
- corrected Li Qiang's email id above.
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 4b94bbc..dfea571 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -249,6 +249,9 @@ static void esp_do_dma(ESPState *s)
len = s->dma_left;
if (s->do_cmd) {
trace_esp_do_dma(s->cmdlen, len);
+ if (s->cmdlen + len >= sizeof(s->cmdbuf)) {
+ return;
+ }
s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
s->ti_size = 0;
s->cmdlen = 0;
--
2.5.5
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2016-06-15 12:09 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-06-15 12:08 [Qemu-devel] [PATCH v2] scsi: esp: check length before dma read P J P
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).