On 18 October 2016 at 10:47, P J P <ppan...@redhat.com> wrote:
> From: Prasad J Pandit <p...@fedoraproject.org>
>
> The Cadence UART device emulator calculates speed by dividing the
> baud rate by a divider. If this divider was to be zero or if baud
> rate was to be lesser than the divider, it could lead to a divide
> by zero error. Add check to avoid it.
>
> Reported-by: Huawei PSIRT <ps...@huawei.com>
> Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
> ---
> hw/char/cadence_uart.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c
> index e3bc52f..b18dd7f 100644
> --- a/hw/char/cadence_uart.c
> +++ b/hw/char/cadence_uart.c
> @@ -170,6 +170,10 @@ static void uart_parameters_setup(CadenceUARTState *s)
> baud_rate = (s->r[R_MR] & UART_MR_CLKS) ?
> UART_INPUT_CLK / 8 : UART_INPUT_CLK;
>
> + if (!s->r[R_BRGR] || !(s->r[R_BDIV] + 1)
> + || baud_rate < (s->r[R_BRGR] * (s->r[R_BDIV] + 1))) {
> + return;
> + }
> ssp.speed = baud_rate / (s->r[R_BRGR] * (s->r[R_BDIV] + 1));
> packet_size = 1;
It seems really unlikely that early return here is the correct thing, since
it will result in our not correctly setting a bunch of the other
stuff done later in this function that's unrelated to baud rate.
What does the datasheet for this UART specify for this situation?
thanks
-- PMM
