From patchwork Sat Jan 26 01:58:38 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [QEMU] m25p80.c: Return state to IDLE after COLLECTING
From: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
X-Patchwork-Id: 215881
Message-Id: <e65b2682-ef5b-4445-9b23-87719b2ccba6@CH1EHSMHS027.ehs.local>
To: <qemu-devel@nongnu.org>
Cc: peter.maydell@linaro.org,
 Peter Crosthwaite <peter.crosthwaite@xilinx.com>, 
 git@xilinx.com, dantesu@faraday-tech.com, edgar.iglesias@gmail.com
Date: Fri, 25 Jan 2013 17:58:38 -0800

Default to moving back to the IDLE state after the COLLECTING_DATA
state. For a well behaved guest this patch has no consequence, but
A bad guest could crash QEMU by using one of the erase commands
followed by a longer than 5 byte argument (undefined behaviour).

Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>

---
hw/m25p80.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hw/m25p80.c b/hw/m25p80.c
index ad9e800..16d4880 100644
--- a/hw/m25p80.c
+++ b/hw/m25p80.c
@@ -359,6 +359,8 @@ static void complete_collecting_data(Flash *s)
     s->cur_addr |= s->data[1] << 8;
     s->cur_addr |= s->data[2];
 
+    s->state = STATE_IDLE;
+
     switch (s->cmd_in_progress) {
     case DPP:
     case QPP: