From: Prasad J Pandit <p...@fedoraproject.org> While doing DMA read into ESP command buffer 's->cmdbuf', the length parameter could exceed the buffer size. Add check to avoid OOB access.
Reported-by: Li Qiang <liqiang...@360.cn> Signed-off-by: Prasad J Pandit <p...@fedoraproject.org> --- hw/scsi/esp.c | 3 +++ 1 file changed, 3 insertions(+) Update: - corrected Li Qiang's email id above. diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 4b94bbc..dfea571 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -249,6 +249,9 @@ static void esp_do_dma(ESPState *s) len = s->dma_left; if (s->do_cmd) { trace_esp_do_dma(s->cmdlen, len); + if (s->cmdlen + len >= sizeof(s->cmdbuf)) { + return; + } s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len); s->ti_size = 0; s->cmdlen = 0; -- 2.5.5