diff options
author | Paolo Bonzini <pbonzini@redhat.com> | 2016-05-20 10:35:15 +0200 |
---|---|---|
committer | Paolo Bonzini <pbonzini@redhat.com> | 2016-05-29 09:11:11 +0200 |
commit | 141af038dd1e73ed32e473046adeb822537c1152 (patch) | |
tree | e2ab07fa8796e16b4188f0eca5a29b1acf6d05c4 /hw/s390x | |
parent | a6b3167fa0e825aebb5a7cd8b437b6d41584a196 (diff) | |
download | qemu-141af038dd1e73ed32e473046adeb822537c1152.zip qemu-141af038dd1e73ed32e473046adeb822537c1152.tar.gz qemu-141af038dd1e73ed32e473046adeb822537c1152.tar.bz2 |
bt: rewrite csrhci_write to avoid out-of-bounds writes
The usage of INT_MAX in this function confuses Coverity. I think
the defect is bogus, however there is no protection against
getting more than sizeof(s->inpkt) bytes from the character device
backend.
Rewrite the function to only fill in as much data as needed from
buf into s->inpkt. The plen variable is replaced by a simple
state machine and there is no need anymore to shift contents to
the beginning of s->inpkt.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'hw/s390x')
0 files changed, 0 insertions, 0 deletions