Hello Paolo, +-- On Wed, 15 Jun 2016, Paolo Bonzini wrote --+ | Actually, the commit message is wrong. The length parameter cannot | exceed the buffer size anymore.
It wouldn't exceed after this patch, right? Is it possible 'esp_do_dma' is called via 'esp_transfer_data' with 's->do_cmd' set? 'len' isn't checked there. | Can you do a v4 with the corrected | commit message and an assert that avoids overflows like in Laszlo's | proposal? I think this: | | assert (s->cmdlen <= sizeof(s->cmdbuf) && | len <= sizeof(s->cmdbuf) - s->cmdlen); Okay. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
