Buffer length fixes, by Wang Cheng Yeh.

git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@2736 c046a42c-6fe2-441c-8c8c-71466251a162
This commit is contained in:
ths 2007-04-28 20:47:59 +00:00
parent 7faa239ca3
commit 67cd24a897

View File

@ -345,7 +345,7 @@ int32_t scsi_send_command(SCSIDevice *s, uint32_t tag, uint8_t *buf, int lun)
DPRINTF("Request Sense (len %d)\n", len); DPRINTF("Request Sense (len %d)\n", len);
if (len < 4) if (len < 4)
goto fail; goto fail;
memset(buf, 0, 4); memset(outbuf, 0, 4);
outbuf[0] = 0xf0; outbuf[0] = 0xf0;
outbuf[1] = 0; outbuf[1] = 0;
outbuf[2] = s->sense; outbuf[2] = s->sense;
@ -371,7 +371,7 @@ int32_t scsi_send_command(SCSIDevice *s, uint32_t tag, uint8_t *buf, int lun)
Some later commands are also implemented. */ Some later commands are also implemented. */
outbuf[2] = 3; outbuf[2] = 3;
outbuf[3] = 2; /* Format 2 */ outbuf[3] = 2; /* Format 2 */
outbuf[4] = 32; outbuf[4] = 31;
/* Sync data transfer and TCQ. */ /* Sync data transfer and TCQ. */
outbuf[7] = 0x10 | (s->tcq ? 0x02 : 0); outbuf[7] = 0x10 | (s->tcq ? 0x02 : 0);
r->buf_len = 36; r->buf_len = 36;
@ -404,10 +404,11 @@ int32_t scsi_send_command(SCSIDevice *s, uint32_t tag, uint8_t *buf, int lun)
p += 4; p += 4;
if ((page == 8 || page == 0x3f)) { if ((page == 8 || page == 0x3f)) {
/* Caching page. */ /* Caching page. */
memset(p,0,20);
p[0] = 8; p[0] = 8;
p[1] = 0x12; p[1] = 0x12;
p[2] = 4; /* WCE */ p[2] = 4; /* WCE */
p += 19; p += 20;
} }
if ((page == 0x3f || page == 0x2a) if ((page == 0x3f || page == 0x2a)
&& (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM)) { && (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM)) {
@ -437,7 +438,7 @@ int32_t scsi_send_command(SCSIDevice *s, uint32_t tag, uint8_t *buf, int lun)
p[19] = (16 * 176) & 0xff; p[19] = (16 * 176) & 0xff;
p[20] = (16 * 176) >> 8; // 16x write speed current p[20] = (16 * 176) >> 8; // 16x write speed current
p[21] = (16 * 176) & 0xff; p[21] = (16 * 176) & 0xff;
p += 21; p += 22;
} }
r->buf_len = p - outbuf; r->buf_len = p - outbuf;
outbuf[0] = r->buf_len - 4; outbuf[0] = r->buf_len - 4;