Changeset 87164 in vbox

Timestamp:

Jan 4, 2021 1:19:24 PM (4 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

142084

Message:

Devices/DevLsiLogicSCSI: Stricter range check, bugref:9897

File:

• trunk/src/VBox/Devices/Storage/DevLsiLogicSCSI.cpp (modified) (1 diff)

trunk/src/VBox/Devices/Storage/DevLsiLogicSCSI.cpp

@@ -1118 +1118 @@
             pReply->IOCFacts.u8MaxBuses           = pThis->cMaxBuses;
 
-            /* Check for a valid firmware image in the IOC memory which was downlaoded by tzhe guest earlier. */
+            pReply->IOCFacts.u16ProductID         = 0xcafe; /* Our own product ID :) */
+            pReply->IOCFacts.u32FwImageSize       = 0; /* No image needed. */
+            pReply->IOCFacts.u32FWVersion         = 0;
+
+            /* Check for a valid firmware image in the IOC memory which was downloaded by the guest earlier and use that. */
             PLSILOGICMEMREGN pRegion = lsilogicR3MemRegionFindByAddr(pThisCC, LSILOGIC_FWIMGHDR_LOAD_ADDRESS);
-
             if (pRegion)
             {
-                uint32_t offImgHdr = (LSILOGIC_FWIMGHDR_LOAD_ADDRESS - pRegion->u32AddrStart) / 4;
-                PFwImageHdr pFwImgHdr = (PFwImageHdr)&pRegion->au32Data[offImgHdr];
-
-                /* Check for the signature. */
-                /** @todo Checksum validation. */
-                if (   pFwImgHdr->u32Signature1 == LSILOGIC_FWIMGHDR_SIGNATURE1
-                    && pFwImgHdr->u32Signature2 == LSILOGIC_FWIMGHDR_SIGNATURE2
-                    && pFwImgHdr->u32Signature3 == LSILOGIC_FWIMGHDR_SIGNATURE3)
+                uint32_t offImgHdr = (LSILOGIC_FWIMGHDR_LOAD_ADDRESS - pRegion->u32AddrStart);
+                if (pRegion->u32AddrEnd - offImgHdr + 1 >= sizeof(FwImageHdr)) /* End address is inclusive. */
                 {
-                    LogFlowFunc(("IOC Facts: Found valid firmware image header in memory, using version (%#x), size (%d) and product ID (%#x) from there\n",
-                                 pFwImgHdr->u32FwVersion, pFwImgHdr->u32ImageSize, pFwImgHdr->u16ProductId));
-
-                    pReply->IOCFacts.u16ProductID         = pFwImgHdr->u16ProductId;
-                    pReply->IOCFacts.u32FwImageSize       = pFwImgHdr->u32ImageSize;
-                    pReply->IOCFacts.u32FWVersion         = pFwImgHdr->u32FwVersion;
+                    PFwImageHdr pFwImgHdr = (PFwImageHdr)&pRegion->au32Data[offImgHdr / 4];
+
+                    /* Check for the signature. */
+                    /** @todo Checksum validation. */
+                    if (   pFwImgHdr->u32Signature1 == LSILOGIC_FWIMGHDR_SIGNATURE1
+                        && pFwImgHdr->u32Signature2 == LSILOGIC_FWIMGHDR_SIGNATURE2
+                        && pFwImgHdr->u32Signature3 == LSILOGIC_FWIMGHDR_SIGNATURE3)
+                    {
+                        LogFlowFunc(("IOC Facts: Found valid firmware image header in memory, using version (%#x), size (%d) and product ID (%#x) from there\n",
+                                     pFwImgHdr->u32FwVersion, pFwImgHdr->u32ImageSize, pFwImgHdr->u16ProductId));
+
+                        pReply->IOCFacts.u16ProductID         = pFwImgHdr->u16ProductId;
+                        pReply->IOCFacts.u32FwImageSize       = pFwImgHdr->u32ImageSize;
+                        pReply->IOCFacts.u32FWVersion         = pFwImgHdr->u32FwVersion;
+                    }
                 }
-            }
-            else
-            {
-                pReply->IOCFacts.u16ProductID         = 0xcafe; /* Our own product ID :) */
-                pReply->IOCFacts.u32FwImageSize       = 0; /* No image needed. */
-                pReply->IOCFacts.u32FWVersion         = 0;
             }
             break;