| commit | 141af038dd1e73ed32e473046adeb822537c1152 | |
| author | Paolo Bonzini <pbonzini@redhat.com> | |
| Fri, 20 May 2016 08:35:15 +0000 (20 10:35 +0200) | ||
| committer | Paolo Bonzini <pbonzini@redhat.com> | |
| Sun, 29 May 2016 07:11:11 +0000 (29 09:11 +0200) | ||
| tree | e2ab07fa8796e16b4188f0eca5a29b1acf6d05c4 | treesnapshot (tar.gz zip) |
| parent | a6b3167fa0e825aebb5a7cd8b437b6d41584a196 | commitdiff |
bt: rewrite csrhci_write to avoid out-of-bounds writes
The usage of INT_MAX in this function confuses Coverity. I think
the defect is bogus, however there is no protection against
getting more than sizeof(s->inpkt) bytes from the character device
backend.
Rewrite the function to only fill in as much data as needed from
buf into s->inpkt. The plen variable is replaced by a simple
state machine and there is no need anymore to shift contents to
the beginning of s->inpkt.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
The usage of INT_MAX in this function confuses Coverity. I think
the defect is bogus, however there is no protection against
getting more than sizeof(s->inpkt) bytes from the character device
backend.
Rewrite the function to only fill in as much data as needed from
buf into s->inpkt. The plen variable is replaced by a simple
state machine and there is no need anymore to shift contents to
the beginning of s->inpkt.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
| hw/bt/hci-csr.c | diffblobblamehistory |