+-- On Mon, 29 Oct 2018, Paolo Bonzini wrote --+
| On 29/10/2018 18:56, Paolo Bonzini wrote:
| > On 26/10/2018 22:55, Peter Maydell wrote:
| >>> +assert(len <= LSI_MAX_MSGIN_LEN);
| >>> pci_dma_write(PCI_DEVICE(s), s->dnad, s->msg, len);
| >>> /* Linux drivers rely on the last byte be
On 29/10/2018 18:56, Paolo Bonzini wrote:
> On 26/10/2018 22:55, Peter Maydell wrote:
>>> +assert(len <= LSI_MAX_MSGIN_LEN);
>>> pci_dma_write(PCI_DEVICE(s), s->dnad, s->msg, len);
>>> /* Linux drivers rely on the last byte being in the SIDL. */
>>> s->sidl = s->msg[len - 1];
>>
On 26/10/2018 22:55, Peter Maydell wrote:
>> +assert(len <= LSI_MAX_MSGIN_LEN);
>> pci_dma_write(PCI_DEVICE(s), s->dnad, s->msg, len);
>> /* Linux drivers rely on the last byte being in the SIDL. */
>> s->sidl = s->msg[len - 1];
> Is it possible to get here with len == 0 ?
No,
On 26 October 2018 at 20:43, P J P wrote:
> From: Prasad J Pandit
>
> While writing a message in 'lsi_do_msgin', message length value
> in 'msg_len' could be invalid. Add check to avoid OOB access issue.
>
> Signed-off-by: Prasad J Pandit
> ---
> hw/scsi/lsi53c895a.c | 15 ++-
> 1 f
From: Prasad J Pandit
While writing a message in 'lsi_do_msgin', message length value
in 'msg_len' could be invalid. Add check to avoid OOB access issue.
Signed-off-by: Prasad J Pandit
---
hw/scsi/lsi53c895a.c | 15 ++-
1 file changed, 14 insertions(+), 1 deletion(-)
Update v1: ad