From: Prasad J Pandit <p...@fedoraproject.org>
While doing DMA read into ESP command buffer 's->cmdbuf', the
length parameter could exceed the buffer size. Add check to avoid
OOB access.
Reported-by: Li Qiang <liqiang...@360.cn>
Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
---
hw/scsi/esp.c | 3 +++
1 file changed, 3 insertions(+)
Update:
- corrected Li Qiang's email id above.
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 4b94bbc..dfea571 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -249,6 +249,9 @@ static void esp_do_dma(ESPState *s)
len = s->dma_left;
if (s->do_cmd) {
trace_esp_do_dma(s->cmdlen, len);
+ if (s->cmdlen + len >= sizeof(s->cmdbuf)) {
+ return;
+ }
s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
s->ti_size = 0;
s->cmdlen = 0;
--
2.5.5
