ShuriZma
/
xemu
mirror of https://github.com/xemu-project/xemu.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

lsi53c895a: avoid out of bounds access to s->msg[] 

If no bytes are there to process in the message in phase,
the input data latch (s->sidl) is set to s->msg[-1].  Just
do nothing since no DMA is performed.

Reported-by: Chuhong Yuan <hslester96@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This commit is contained in:
Paolo Bonzini 2024-03-31 20:04:41 +02:00
parent 1d1ee7e0a1
commit e497e6a557
1 changed files with 12 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
hw/scsi/lsi53c895a.c
View File

@ -927,13 +927,18 @@ static void lsi_do_msgin(LSIState *s)
assert(len > 0 && len <= LSI_MAX_MSGIN_LEN); assert(len > 0 && len <= LSI_MAX_MSGIN_LEN);
if (len > s->dbc) if (len > s->dbc)
len = s->dbc; len = s->dbc;
pci_dma_write(PCI_DEVICE(s), s->dnad, s->msg, len);
/* Linux drivers rely on the last byte being in the SIDL. */ if (len) {
s->sidl = s->msg[len - 1]; pci_dma_write(PCI_DEVICE(s), s->dnad, s->msg, len);
s->msg_len -= len; /* Linux drivers rely on the last byte being in the SIDL. */
if (s->msg_len) { s->sidl = s->msg[len - 1];
memmove(s->msg, s->msg + len, s->msg_len); s->msg_len -= len;
} else { if (s->msg_len) {
memmove(s->msg, s->msg + len, s->msg_len);
}
}
if (!s->msg_len) {
/* ??? Check if ATN (not yet implemented) is asserted and maybe /* ??? Check if ATN (not yet implemented) is asserted and maybe
switch to PHASE_MO. */ switch to PHASE_MO. */
switch (s->msg_action) { switch (s->msg_action) {