diff mbox

[v2] scsi: esp: check length before dma read

Message ID 1465992538-18320-1-git-send-email-ppandit@redhat.com (mailing list archive)
State New, archived
Headers show

Commit Message

Prasad Pandit June 15, 2016, 12:08 p.m. UTC 
From: Prasad J Pandit <pjp@fedoraproject.org>

While doing DMA read into ESP command buffer 's->cmdbuf', the
length parameter could exceed the buffer size. Add check to avoid
OOB access.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 hw/scsi/esp.c | 3 +++
 1 file changed, 3 insertions(+)

Update:
  - corrected Li Qiang's email id above.
diff mbox

Patch

diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 4b94bbc..dfea571 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -249,6 +249,9 @@  static void esp_do_dma(ESPState *s)
     len = s->dma_left;
     if (s->do_cmd) {
         trace_esp_do_dma(s->cmdlen, len);
+        if (s->cmdlen + len >= sizeof(s->cmdbuf)) {
+            return;
+        }
         s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
         s->ti_size = 0;
         s->cmdlen = 0;