Macintosh-Tools/dingusppc
1
0
Fork 0
mirror of https://github.com/dingusdev/dingusppc.git synced 2025-03-13 15:30:32 +00:00
Code Issues Projects Releases Wiki Activity

scsi: Check for maximum transfer size

Browse Source 
Better to fail immediately than to have a buffer overflow.
This commit is contained in:
Mihai Parparita 2025-01-07 22:52:00 -08:00
parent a5ba986666
commit 40617692b8
1 changed files with 13 additions and 6 deletions

19
devices/common/scsi/scsihd.cpp

@ -455,14 +455,17 @@ void ScsiHardDisk::read(uint32_t lba, uint16_t transfer_len, uint8_t cmd_len) {
return;
uint32_t transfer_size = transfer_len;
std::memset(this->data_buf, 0, sizeof(this->data_buf));
if (cmd_len == 6 && transfer_len == 0) {
transfer_size = 256;
}
transfer_size *= this->sector_size;
size_t data_buf_size = sizeof(this->data_buf);
if (transfer_size > data_buf_size) {
ABORT_F("%s: cannot read %d bytes (%d sectors * %d bytes/sector), maximum size is %lu bytes", this->name.c_str(), transfer_size, transfer_len, this->sector_size, data_buf_size);
}
std::memset(this->data_buf, 0, data_buf_size);
uint64_t device_offset = (uint64_t)lba * this->sector_size;
this->disk_img.read(this->data_buf, device_offset, transfer_size);
@ -474,12 +477,16 @@ void ScsiHardDisk::read(uint32_t lba, uint16_t transfer_len, uint8_t cmd_len) {
void ScsiHardDisk::write(uint32_t lba, uint16_t transfer_len, uint8_t cmd_len) {
uint32_t transfer_size = transfer_len;
if (cmd_len == 6 && transfer_len == 0) {
transfer_size = 256;
}
transfer_size *= this->sector_size;
size_t data_buf_size = sizeof(this->data_buf);
if (transfer_size > data_buf_size) {
ABORT_F("%s: cannot write %d bytes (%d sectors * %d bytes/sector), maximum size is %lu bytes", this->name.c_str(), transfer_size, transfer_len, this->sector_size, data_buf_size);
}
uint64_t device_offset = (uint64_t)lba * this->sector_size;
this->incoming_size = transfer_size;