[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v3] scsi: esp: check length before dma read
From: |
P J P |
Subject: |
Re: [Qemu-devel] [PATCH v3] scsi: esp: check length before dma read |
Date: |
Wed, 15 Jun 2016 22:48:26 +0530 (IST) |
Hello Paolo,
+-- On Wed, 15 Jun 2016, Paolo Bonzini wrote --+
| Actually, the commit message is wrong. The length parameter cannot
| exceed the buffer size anymore.
It wouldn't exceed after this patch, right? Is it possible 'esp_do_dma' is
called via 'esp_transfer_data' with 's->do_cmd' set? 'len' isn't checked
there.
| Can you do a v4 with the corrected
| commit message and an assert that avoids overflows like in Laszlo's
| proposal? I think this:
|
| assert (s->cmdlen <= sizeof(s->cmdbuf) &&
| len <= sizeof(s->cmdbuf) - s->cmdlen);
Okay.
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F