Index: /trunk/src/VBox/Devices/Storage/DevBusLogic.cpp =================================================================== --- /trunk/src/VBox/Devices/Storage/DevBusLogic.cpp (revision 67918) +++ /trunk/src/VBox/Devices/Storage/DevBusLogic.cpp (revision 67919) @@ -383,11 +383,9 @@ /** Flag whether IRQs are enabled. */ bool fIRQEnabled; - /** Flag whether the ISA I/O port range is disabled - * to prevent the BIOS to access the device. */ - bool fISAEnabled; /**< @todo unused, to be removed */ /** Flag whether 24-bit mailboxes are in use (default is 32-bit). */ bool fMbxIs24Bit; /** ISA I/O port base (encoded in FW-compatible format). */ uint8_t uISABaseCode; + uint8_t Alignment00; /** ISA I/O port base (disabled if zero). */ @@ -1872,6 +1870,12 @@ { /* The reply length is set by the guest and is found in the first byte of the command buffer. */ + if (pBusLogic->aCommandBuffer[0] > sizeof(pBusLogic->aReplyBuffer)) + { + Log(("Requested too much adapter model number data (%u)!\n", pBusLogic->aCommandBuffer[0])); + pBusLogic->regStatus |= BL_STAT_CMDINV; + break; + } pBusLogic->cbReplyParametersLeft = pBusLogic->aCommandBuffer[0]; - memset(pBusLogic->aReplyBuffer, 0, pBusLogic->cbReplyParametersLeft); + memset(pBusLogic->aReplyBuffer, 0, sizeof(pBusLogic->aReplyBuffer)); const char aModelName[] = "958D "; /* Trailing \0 is fine, that's the filler anyway. */ int cCharsToTransfer = pBusLogic->cbReplyParametersLeft <= sizeof(aModelName) @@ -1971,5 +1975,11 @@ PRequestInitMbx pRequest = (PRequestInitMbx)pBusLogic->aCommandBuffer; - ///@todo: Command should fail if requested no. of mailbox entries is zero + pBusLogic->cbReplyParametersLeft = 0; + if (!pRequest->cMailbox) + { + Log(("cMailboxes=%u (24-bit mode), fail!\n", pBusLogic->cMailbox)); + pBusLogic->regStatus |= BL_STAT_CMDINV; + break; + } pBusLogic->fMbxIs24Bit = true; pBusLogic->cMailbox = pRequest->cMailbox; @@ -1984,12 +1994,17 @@ pBusLogic->regStatus &= ~BL_STAT_INREQ; + break; + } + case BUSLOGICCOMMAND_INITIALIZE_EXTENDED_MAILBOX: + { + PRequestInitializeExtendedMailbox pRequest = (PRequestInitializeExtendedMailbox)pBusLogic->aCommandBuffer; + pBusLogic->cbReplyParametersLeft = 0; - break; - } - case BUSLOGICCOMMAND_INITIALIZE_EXTENDED_MAILBOX: - { - PRequestInitializeExtendedMailbox pRequest = (PRequestInitializeExtendedMailbox)pBusLogic->aCommandBuffer; - - ///@todo: Command should fail if requested no. of mailbox entries is zero + if (!pRequest->cMailbox) + { + Log(("cMailboxes=%u (32-bit mode), fail!\n", pBusLogic->cMailbox)); + pBusLogic->regStatus |= BL_STAT_CMDINV; + break; + } pBusLogic->fMbxIs24Bit = false; pBusLogic->cMailbox = pRequest->cMailbox; @@ -2004,5 +2019,4 @@ pBusLogic->regStatus &= ~BL_STAT_INREQ; - pBusLogic->cbReplyParametersLeft = 0; break; } @@ -2071,6 +2085,11 @@ case BUSLOGICCOMMAND_INQUIRE_SYNCHRONOUS_PERIOD: { + if (pBusLogic->aCommandBuffer[0] > sizeof(pBusLogic->aReplyBuffer)) + { + Log(("Requested too much synch period inquiry (%u)!\n", pBusLogic->aCommandBuffer[0])); + pBusLogic->regStatus |= BL_STAT_CMDINV; + break; + } pBusLogic->cbReplyParametersLeft = pBusLogic->aCommandBuffer[0]; - for (uint8_t i = 0; i < pBusLogic->cbReplyParametersLeft; i++) pBusLogic->aReplyBuffer[i] = 0; /** @todo Figure if we need something other here. It's not needed for the linux driver */ @@ -2080,4 +2099,5 @@ case BUSLOGICCOMMAND_DISABLE_HOST_ADAPTER_INTERRUPT: { + pBusLogic->cbReplyParametersLeft = 0; if (pBusLogic->aCommandBuffer[0] == 0) pBusLogic->fIRQEnabled = false;