esp.c: don't assert() if FIFO empty when executing non-DMA SELATNS

The current logic assumes that at least 1 byte is present in the FIFO when executing a non-DMA SELATNS command, but this may not be the case if the guest executes an invalid ESP command sequence. Reported-by: Chuhong Yuan <hslester96@gmail.com> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-Id: <20240324191707.623175-11-mark.cave-ayland@ilande.co.uk> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
author: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> 2024-03-24 19:16:59 +0000
committer: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> 2024-04-04 15:17:53 +0100
commit: 5a50644e4763b6e8370eddc10d30d87134a91167 (patch)
tree: a98cfcbc7ed4848a5def98d823ad127b0a80489d /hw/scsi
parent: 266170f91f9079c102dafb252497f3bae5e844ee (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 1aac8f5564..f3aa5364cf 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -762,7 +762,8 @@ static void esp_do_nodma(ESPState *s)
 
         case CMD_SELATNS:
             /* Copy one byte from FIFO into cmdfifo */
-            len = esp_fifo_pop_buf(s, buf, 1);
+            len = esp_fifo_pop_buf(s, buf,
+                                   MIN(fifo8_num_used(&s->fifo), 1));
             len = MIN(fifo8_num_free(&s->cmdfifo), len);
             fifo8_push_all(&s->cmdfifo, buf, len);
author	Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>	2024-03-24 19:16:59 +0000
committer	Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>	2024-04-04 15:17:53 +0100
commit	5a50644e4763b6e8370eddc10d30d87134a91167 (patch)
tree	a98cfcbc7ed4848a5def98d823ad127b0a80489d /hw/scsi
parent	266170f91f9079c102dafb252497f3bae5e844ee (diff)