From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40695) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bDDoM-00047K-6u for qemu-devel@nongnu.org; Wed, 15 Jun 2016 12:37:03 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bDDoG-0001NP-BR for qemu-devel@nongnu.org; Wed, 15 Jun 2016 12:37:01 -0400 Received: from mx1.redhat.com ([209.132.183.28]:45420) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bDDoG-0001ND-4l for qemu-devel@nongnu.org; Wed, 15 Jun 2016 12:36:56 -0400 References: <1466007376-27333-1-git-send-email-ppandit@redhat.com> From: Paolo Bonzini Message-ID: <97a65801-e94d-9ea8-80f4-4caa4a8cf4a4@redhat.com> Date: Wed, 15 Jun 2016 18:36:51 +0200 MIME-Version: 1.0 In-Reply-To: <1466007376-27333-1-git-send-email-ppandit@redhat.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH v3] scsi: esp: check length before dma read List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: P J P , Qemu Developers Cc: Li Qiang , Laszlo Ersek , Prasad J Pandit On 15/06/2016 18:16, P J P wrote: > From: Prasad J Pandit > > While doing DMA read into ESP command buffer 's->cmdbuf', the > length parameter could exceed the buffer size. Add check to avoid > OOB access. Also increase the command buffer size to 32, which > is maximum when 's->do_cmd' is set. Actually, the commit message is wrong. The length parameter cannot exceed the buffer size anymore. Can you do a v4 with the corrected commit message and an assert that avoids overflows like in Laszlo's proposal? I think this: assert (s->cmdlen <= sizeof(s->cmdbuf) && len <= sizeof(s->cmdbuf) - s->cmdlen); would do. Thanks, Paolo