sandbox_flash_bulk uses priv->read_len to determine if priv->buff contains
the response data (such as from SCSI_INQUIRY). However, if priv->fd=-1 in
handle_read, then priv->read_len is not set even though we are going to
PHASE_DATA. This causes sandbox_flash_bulk to try and read len bytes from
priv->buff, which likely goes past the end of the buffer. Fix this by always
setting priv->read_len even if we aren't going to read anything.
Fixes: f4f715360c ("dm: usb: sandbox: Add an emulator for USB flash devices")
Signed-off-by: Sean Anderson <seanga2@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
ulong transfer_len)
{
debug("%s: lba=%lx, transfer_len=%lx\n", __func__, lba, transfer_len);
+ priv->read_len = transfer_len;
if (priv->fd != -1) {
os_lseek(priv->fd, lba * SANDBOX_FLASH_BLOCK_LEN, OS_SEEK_SET);
- priv->read_len = transfer_len;
setup_response(priv, priv->buff,
transfer_len * SANDBOX_FLASH_BLOCK_LEN);
} else {
if (priv->read_len) {
ulong bytes_read;
+ if (priv->fd == -1)
+ return -EIO;
+
bytes_read = os_read(priv->fd, buff, len);
if (bytes_read != len)
return -EIO;