Re: [PATCH] ide:atapi: check io_buffer_index in ide_atapi_cmd_reply

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] ide:atapi: check io_buffer_index in ide_atapi_cmd_reply_end

From:	Paolo Bonzini
Subject:	Re: [PATCH] ide:atapi: check io_buffer_index in ide_atapi_cmd_reply_end
Date:	Fri, 11 Dec 2020 12:46:02 +0100
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.4.0

On 11/12/20 09:32, Wenxiang Qian wrote:

+ The lba is set to -1 to avoid some code paths, to make PoC simpler.

void ide_atapi_cmd_reply_end(IDEState *s)
{
     int byte_count_limit, size, ret;
     while (s->packet_transfer_size > 0) {
.....

if (s->lba != -1 && s->io_buffer_index >= s->cd_sector_size) {<----- set lba to -1 to avoid this part

  .....
         }
         if (s->elementary_transfer_size > 0) {
......
         } else {
.......
             if (s->lba != -1) { <-----
                 if (size > (s->cd_sector_size - s->io_buffer_index))

size = (s->cd_sector_size - s->io_buffer_index);<-----

             }
         }

If the lba is not -1, I don't think bad things can happen on this path.Am I wrong?


Paolo

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH] ide:atapi: check io_buffer_index in ide_atapi_cmd_reply_end, (continued)
- Re: [PATCH] ide:atapi: check io_buffer_index in ide_atapi_cmd_reply_end, leonwxqian, 2020/12/11

Prev by Date: Re: [PATCH] ide:atapi: check io_buffer_index in ide_atapi_cmd_reply_end
Next by Date: Re: [PATCH v2] s390x: pv: Fence additional unavailable SCLP facilities for PV guests
Previous by thread: Re: [PATCH] ide:atapi: check io_buffer_index in ide_atapi_cmd_reply_end
Next by thread: Re: [PATCH] ide:atapi: check io_buffer_index in ide_atapi_cmd_reply_end
Index(es):
- Date
- Thread