m25p80.c: Return state to IDLE after COLLECTING

Default to moving back to the IDLE state after the COLLECTING_DATA state. For a well behaved guest this patch has no consequence, but A bad guest could crash QEMU by using one of the erase commands followed by a longer than 5 byte argument (undefined behaviour). Signed-off-by: N Peter Crosthwaite <peter.crosthwaite@xilinx.com> Signed-off-by: N Edgar E. Iglesias <edgar.iglesias@gmail.com>

m25p80.c: Return state to IDLE after COLLECTING
Default to moving back to the IDLE state after the COLLECTING_DATA state. For a well behaved guest this patch has no consequence, but A bad guest could crash QEMU by using one of the erase commands followed by a longer than 5 byte argument (undefined behaviour). Signed-off-by: N Peter Crosthwaite <peter.crosthwaite@xilinx.com> Signed-off-by: N Edgar E. Iglesias <edgar.iglesias@gmail.com>
a56d305a · Peter Crosthwaite · Edgar E. Iglesias · 2f991adb · a56d305a
隐藏空白更改
内联并排

Showing with 2 addition and 0 deletion

hw/m25p80.c hw/m25p80.c +2 -0

未找到文件。
--- a/hw/m25p80.c
+++ b/hw/m25p80.c
@@ -358,6 +358,8 @@ static void complete_collecting_data(Flash *s)
    s->cur_addr |= s->data[1] << 8;
    s->cur_addr |= s->data[2];

+    s->state = STATE_IDLE;
+
    switch (s->cmd_in_progress) {
    case DPP:
    case QPP: