[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v3] scsi: esp: check length before dma read
From: |
Paolo Bonzini |
Subject: |
Re: [Qemu-devel] [PATCH v3] scsi: esp: check length before dma read |
Date: |
Wed, 15 Jun 2016 18:36:51 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 |
On 15/06/2016 18:16, P J P wrote:
> From: Prasad J Pandit <address@hidden>
>
> While doing DMA read into ESP command buffer 's->cmdbuf', the
> length parameter could exceed the buffer size. Add check to avoid
> OOB access. Also increase the command buffer size to 32, which
> is maximum when 's->do_cmd' is set.
Actually, the commit message is wrong. The length parameter cannot
exceed the buffer size anymore. Can you do a v4 with the corrected
commit message and an assert that avoids overflows like in Laszlo's
proposal? I think this:
assert (s->cmdlen <= sizeof(s->cmdbuf) &&
len <= sizeof(s->cmdbuf) - s->cmdlen);
would do.
Thanks,
Paolo