From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:33984) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bD9d9-0003qh-V4 for qemu-devel@nongnu.org; Wed, 15 Jun 2016 08:09:12 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bD9d5-0000jK-Mf for qemu-devel@nongnu.org; Wed, 15 Jun 2016 08:09:10 -0400 Received: from mx1.redhat.com ([209.132.183.28]:46035) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bD9d5-0000jF-HH for qemu-devel@nongnu.org; Wed, 15 Jun 2016 08:09:07 -0400 From: P J P Date: Wed, 15 Jun 2016 17:38:58 +0530 Message-Id: <1465992538-18320-1-git-send-email-ppandit@redhat.com> Subject: [Qemu-devel] [PATCH v2] scsi: esp: check length before dma read List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Qemu Developers Cc: Paolo Bonzini , Li Qiang , Prasad J Pandit From: Prasad J Pandit While doing DMA read into ESP command buffer 's->cmdbuf', the length parameter could exceed the buffer size. Add check to avoid OOB access. Reported-by: Li Qiang Signed-off-by: Prasad J Pandit --- hw/scsi/esp.c | 3 +++ 1 file changed, 3 insertions(+) Update: - corrected Li Qiang's email id above. diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 4b94bbc..dfea571 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -249,6 +249,9 @@ static void esp_do_dma(ESPState *s) len = s->dma_left; if (s->do_cmd) { trace_esp_do_dma(s->cmdlen, len); + if (s->cmdlen + len >= sizeof(s->cmdbuf)) { + return; + } s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len); s->ti_size = 0; s->cmdlen = 0; -- 2.5.5