b72981b910
The continue_send() method in ipmi_bmc_extern.c directly assigns the return value of qemu_chr_fe_write() to the variable tracking the I/O buffer offset. This ignores the possibility that the return value could be -1 and so will cause I/O go backwards on EAGAIN. Fortunately 'outpos' is unsigned, so can't go negative - it will become MAX_INT which will cause the loop to stop, and avoid an accidental out of bounds array access. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Message-Id: <1473170165-540-2-git-send-email-berrange@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> |
||
|---|---|---|
| .. | ||
| ipmi_bmc_extern.c | ||
| ipmi_bmc_sim.c | ||
| ipmi.c | ||
| isa_ipmi_bt.c | ||
| isa_ipmi_kcs.c | ||
| Makefile.objs | ||