On Tue, 09 Jul 2024 17:16, Matias Ezequiel Vara Larsen
wrote:
Thanks Manos for sending this,
On Mon, Jul 08, 2024 at 10:09:49AM +0300, Manos Pitsidianakis wrote:
When reading input audio in the virtio-snd input callback,
virtio_snd_pcm_in_cb(), we do not check whether the iov can actually fit
Thanks Manos for sending this,
On Mon, Jul 08, 2024 at 10:09:49AM +0300, Manos Pitsidianakis wrote:
> When reading input audio in the virtio-snd input callback,
> virtio_snd_pcm_in_cb(), we do not check whether the iov can actually fit
> the data buffer. This is because we use the buffer->size fie
Thanks for the review Philippe,
On Mon, 08 Jul 2024 11:28, Philippe Mathieu-Daudé wrote:
+max_size = iov_size(buffer->elem->in_sg,
buffer->elem->in_num);
for (;;) {
+if (buffer->size >= max_size) {
+return_rx_buffer(st
On 8/7/24 09:09, Manos Pitsidianakis wrote:
When reading input audio in the virtio-snd input callback,
virtio_snd_pcm_in_cb(), we do not check whether the iov can actually fit
the data buffer. This is because we use the buffer->size field as a
total-so-far accumulator instead of byte-size-left li
When reading input audio in the virtio-snd input callback,
virtio_snd_pcm_in_cb(), we do not check whether the iov can actually fit
the data buffer. This is because we use the buffer->size field as a
total-so-far accumulator instead of byte-size-left like in TX buffers.
This triggers an out of bou