[PATCH 6/15] hypervisor console driver for Celleb
Linas Vepstas
linas at austin.ibm.com
Wed Dec 13 06:41:07 EST 2006
On Tue, Dec 12, 2006 at 12:31:29PM +0900, Ishizaki Kou wrote:
> +
> +static int hvc_beat_get_chars(uint32_t vtermno, char *buf, int cnt)
> +{
> + unsigned long kb[2];
> + unsigned long got;
> +
> + if (beat_get_term_char(vtermno, &got, &kb[0], &kb[1]) == 0) {
> + memcpy(buf, kb, got);
> + return got;
This seems to completely ignore "cnt". Thus, I presume that
beat_get_term_char might return more chars than there is room for in buf,
thus corrupting something, somewhere.
> +static int hvc_beat_put_chars(uint32_t vtermno, const char *buf, int cnt)
> +{
> + unsigned long kb[2];
> +
> + memcpy(kb, buf, sizeof(kb));
> + beat_put_term_char(vtermno, cnt, kb[0], kb[1]);
> + return cnt;
> +}
I can't imagine how this can possibly work.
What if "cnt" is greater than 8?
--linas
More information about the Linuxppc-dev
mailing list