diff options
author | Eden Mikitas <e.mikitas@gmail.com> | 2020-06-02 13:44:34 +0100 |
---|---|---|
committer | Peter Maydell <peter.maydell@linaro.org> | 2020-06-05 17:23:08 +0100 |
commit | 9c49c83e4b23d31676633a1189faa6e70b489c01 (patch) | |
tree | a17da6b23e17d28065fa1b90a242ad7c393686e6 /hw | |
parent | 5d2f557b47dfbf8f23277a5bdd8473d4607c681a (diff) | |
download | qemu-9c49c83e4b23d31676633a1189faa6e70b489c01.zip qemu-9c49c83e4b23d31676633a1189faa6e70b489c01.tar.gz qemu-9c49c83e4b23d31676633a1189faa6e70b489c01.tar.bz2 |
hw/ssi/imx_spi: changed while statement to prevent underflow
The while statement in question only checked if tx_burst is not 0.
tx_burst is a signed int, which is assigned the value put by the
guest driver in ECSPI_CONREG. The burst length can be anywhere
between 1 and 4096, and since tx_burst is always decremented by 8
it could possibly underflow, causing an infinite loop.
Signed-off-by: Eden Mikitas <e.mikitas@gmail.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'hw')
-rw-r--r-- | hw/ssi/imx_spi.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/hw/ssi/imx_spi.c b/hw/ssi/imx_spi.c index 2dd9a63..6fef5c7 100644 --- a/hw/ssi/imx_spi.c +++ b/hw/ssi/imx_spi.c @@ -182,7 +182,7 @@ static void imx_spi_flush_txfifo(IMXSPIState *s) rx = 0; - while (tx_burst) { + while (tx_burst > 0) { uint8_t byte = tx & 0xff; DPRINTF("writing 0x%02x\n", (uint32_t)byte); |