Google Git
Sign in
qemu / qemu / 141af038dd1e73ed32e473046adeb822537c1152
commit141af038dd1e73ed32e473046adeb822537c1152[log] [tgz]
authorPaolo Bonzini <pbonzini@redhat.com>Fri May 20 10:35:15 2016 +0200
committerPaolo Bonzini <pbonzini@redhat.com>Sun May 29 09:11:11 2016 +0200
treee2ab07fa8796e16b4188f0eca5a29b1acf6d05c4
parenta6b3167fa0e825aebb5a7cd8b437b6d41584a196 [diff]
bt: rewrite csrhci_write to avoid out-of-bounds writes

The usage of INT_MAX in this function confuses Coverity.  I think
the defect is bogus, however there is no protection against
getting more than sizeof(s->inpkt) bytes from the character device
backend.

Rewrite the function to only fill in as much data as needed from
buf into s->inpkt.  The plen variable is replaced by a simple
state machine and there is no need anymore to shift contents to
the beginning of s->inpkt.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
1 file changed
tree: e2ab07fa8796e16b4188f0eca5a29b1acf6d05c4
  1. audio/
  2. backends/
  3. block/
  4. bsd-user/
  5. contrib/
  6. crypto/
  7. default-configs/
  8. disas/
  9. docs/
  10. fpu/
  11. fsdev/
  12. gdb-xml/
  13. hw/
  14. include/
  15. io/
  16. libdecnumber/
  17. linux-headers/
  18. linux-user/
  19. migration/
  20. nbd/
  21. net/
  22. pc-bios/
  23. po/
  24. qapi/
  25. qga/
  26. qobject/
  27. qom/
  28. replay/
  29. roms/
  30. scripts/
  31. slirp/
  32. stubs/
  33. target-alpha/
  34. target-arm/
  35. target-cris/
  36. target-i386/
  37. target-lm32/
  38. target-m68k/
  39. target-microblaze/
  40. target-mips/
  41. target-moxie/
  42. target-openrisc/
  43. target-ppc/
  44. target-s390x/
  45. target-sh4/
  46. target-sparc/
  47. target-tilegx/
  48. target-tricore/
  49. target-unicore32/
  50. target-xtensa/
  51. tcg/
  52. tests/
  53. trace/
  54. ui/
  55. util/
  56. dtc
  57. pixman
  58. .dir-locals.el
  59. .exrc
  60. .gitignore
  61. .gitmodules
  62. .mailmap
  63. .travis.yml
  64. accel.c
  65. aio-posix.c
  66. aio-win32.c
  67. arch_init.c
  68. async.c
  69. balloon.c
  70. block.c
  71. blockdev-nbd.c
  72. blockdev.c
  73. blockjob.c
  74. bootdevice.c
  75. bt-host.c
  76. bt-vhci.c
  77. Changelog
  78. CODING_STYLE
  79. configure
  80. COPYING
  81. COPYING.LIB
  82. cpu-exec-common.c
  83. cpu-exec.c
  84. cpus.c
  85. cputlb.c
  86. device-hotplug.c
  87. device_tree.c
  88. disas.c
  89. dma-helpers.c
  90. dump.c
  91. exec.c
  92. gdbstub.c
  93. HACKING
  94. hmp-commands-info.hx
  95. hmp-commands.hx
  96. hmp.c
  97. hmp.h
  98. iohandler.c
  99. ioport.c
  100. iothread.c
  101. kvm-all.c
  102. kvm-stub.c
  103. LICENSE
  104. main-loop.c
  105. MAINTAINERS
  106. Makefile
  107. Makefile.objs
  108. Makefile.target
  109. memory.c
  110. memory_mapping.c
  111. module-common.c
  112. monitor.c
  113. numa.c
  114. os-posix.c
  115. os-win32.c
  116. page_cache.c
  117. qapi-schema.json
  118. qdev-monitor.c
  119. qdict-test-data.txt
  120. qemu-bridge-helper.c
  121. qemu-char.c
  122. qemu-doc.texi
  123. qemu-ga.texi
  124. qemu-img-cmds.hx
  125. qemu-img.c
  126. qemu-img.texi
  127. qemu-io-cmds.c
  128. qemu-io.c
  129. qemu-nbd.c
  130. qemu-nbd.texi
  131. qemu-options-wrapper.h
  132. qemu-options.h
  133. qemu-options.hx
  134. qemu-seccomp.c
  135. qemu-tech.texi
  136. qemu-timer.c
  137. qemu.nsi
  138. qemu.sasl
  139. qmp-commands.hx
  140. qmp.c
  141. qtest.c
  142. README
  143. rules.mak
  144. softmmu_template.h
  145. spice-qemu-char.c
  146. tcg-runtime.c
  147. tci.c
  148. thread-pool.c
  149. thunk.c
  150. tpm.c
  151. trace-events
  152. translate-all.c
  153. translate-all.h
  154. translate-common.c
  155. user-exec.c
  156. VERSION
  157. version.rc
  158. vl.c
  159. xen-common-stub.c
  160. xen-common.c
  161. xen-hvm-stub.c
  162. xen-hvm.c
  163. xen-mapcache.c