+-- On Wed, 15 Jun 2016, Paolo Bonzini wrote --+
| So a better fix is to change cmdbuf[] to 32 bytes in
| include/hw/scsi/esp.h, and define a constant ESP_CMDBUF_SZ equal to 32
| that can be used in handle_ti and in the definition of cmdbuf.
Sent a revised patch v3. Thank you.
--
Prasad J Pandit
On 15/06/2016 14:11, Laszlo Ersek wrote:
> (1) In my opinion, this check is not sufficient. All of the following
> objects:
>
> - the "len" local variable
> - the "ESPState.dma_left" field
> - the "ESPState.cmdlen" field
>
> have type "uint32_t" (that is, "unsigned int"). Therefore the
On 06/15/16 11:29, P J P wrote:
> From: Prasad J Pandit
>
> While doing DMA read into ESP command buffer 's->cmdbuf', the
> length parameter could exceed the buffer size. Add check to avoid
> OOB access.
>
> Reported-by: Li Qiang
> Signed-off-by: Prasad
From: Prasad J Pandit
While doing DMA read into ESP command buffer 's->cmdbuf', the
length parameter could exceed the buffer size. Add check to avoid
OOB access.
Reported-by: Li Qiang
Signed-off-by: Prasad J Pandit
---