On Fri, 5 Jun 2020 at 11:25, Philippe Mathieu-Daudé <phi...@redhat.com> wrote: > > From: Philippe Mathieu-Daudé <f4...@amsat.org> > > Only move the state machine to ReceivingData if there is no > pending error. This avoids later OOB access while processing > commands queued. > > "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01" > > 4.3.3 Data Read > > Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR > occurred and no data transfer is performed. > > 4.3.4 Data Write > > Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR > occurred and no data transfer is performed.
It's not clear from the spec that this should also apply to WP_VIOLATION errors. The text about WP_VIOLATION suggests that it is handled by aborting the data transfer (ie set the error bit, stay in receive-data state, wait for a stop command, but ignore all further data transfer), which is I think distinct from "rejecting" the command. If that theory is right then moving the check for the ADDRESS_ERROR in this patch is correct but the WP_VIOLATION tests should stay as they are, I think. NB: is the buffer overrun we're trying to protect against caused by passing sd_wp_addr() a bad address? Maybe we should assert in sd_addr_to_wpnum() that the address is in range, as a defence. thanks -- PMM
