On 15/06/2016 19:18, P J P wrote:
> Hello Paolo,
>
> +-- On Wed, 15 Jun 2016, Paolo Bonzini wrote --+
> | Actually, the commit message is wrong. The length parameter cannot
> | exceed the buffer size anymore.
>
> It wouldn't exceed after this patch, right? Is it possible 'esp_do_dma' is
>
Hello Paolo,
+-- On Wed, 15 Jun 2016, Paolo Bonzini wrote --+
| Actually, the commit message is wrong. The length parameter cannot
| exceed the buffer size anymore.
It wouldn't exceed after this patch, right? Is it possible 'esp_do_dma' is
called via 'esp_transfer_data' with 's->do_cmd' set
On 15/06/2016 18:16, P J P wrote:
> From: Prasad J Pandit
>
> While doing DMA read into ESP command buffer 's->cmdbuf', the
> length parameter could exceed the buffer size. Add check to avoid
> OOB access. Also increase the command buffer size to 32, which
> is maximum when 's->do_cmd' is set.
On 15/06/2016 18:16, P J P wrote:
> From: Prasad J Pandit
>
> While doing DMA read into ESP command buffer 's->cmdbuf', the
> length parameter could exceed the buffer size. Add check to avoid
> OOB access. Also increase the command buffer size to 32, which
> is maximum when 's->do_cmd' is set.
From: Prasad J Pandit
While doing DMA read into ESP command buffer 's->cmdbuf', the
length parameter could exceed the buffer size. Add check to avoid
OOB access. Also increase the command buffer size to 32, which
is maximum when 's->do_cmd' is set.
Reported-by: Li Qiang
Signed-off-by: Prasad J
