From af8eb67fb44f7ab1831d6651ea4a079f2ebc99ff Mon Sep 17 00:00:00 2001
From: "Blake Hechtman ext:(%2C%20Nilay%20Vaish%20%3Cnilay%40cs.wisc.edu%3E)"
 <bah13@duke.edu>
Date: Sat, 2 Mar 2013 23:12:55 -0600
Subject: ruby: fixes functional writes to RubyRequest The functional write
 code was assuming that all writes are block sized, which may not be true for
 Ruby Requests. This bug can lead to a buffer overflow.

Committed by: Nilay Vaish <nilay@cs.wisc.edu>
---
 src/mem/ruby/slicc_interface/RubyRequest.cc | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

(limited to 'src/mem/ruby/slicc_interface')

diff --git a/src/mem/ruby/slicc_interface/RubyRequest.cc b/src/mem/ruby/slicc_interface/RubyRequest.cc
index 7ff2b75d8..ca0ab059f 100644
--- a/src/mem/ruby/slicc_interface/RubyRequest.cc
+++ b/src/mem/ruby/slicc_interface/RubyRequest.cc
@@ -39,19 +39,19 @@ RubyRequest::functionalWrite(Packet *pkt)
     // has to overwrite the data for the timing request, even if the
     // timing request has still not been ordered globally.
 
-    Address pktLineAddr(pkt->getAddr());
-    pktLineAddr.makeLineAddress();
+    Addr wBase = pkt->getAddr();
+    Addr wTail = wBase + pkt->getSize();
+    Addr mBase = m_PhysicalAddress.getAddress();
+    Addr mTail = mBase + m_Size;
 
-    if (pktLineAddr == m_LineAddress) {
-        uint8_t *pktData = pkt->getPtr<uint8_t>(true);
-        unsigned int size_in_bytes = pkt->getSize();
-        unsigned startByte = pkt->getAddr() - m_LineAddress.getAddress();
+    uint8_t * pktData = pkt->getPtr<uint8_t>(true);
 
-        for (unsigned i = 0; i < size_in_bytes; ++i) {
-            data[i + startByte] = pktData[i];
-        }
+    Addr cBase = std::max(wBase, mBase);
+    Addr cTail = std::min(wTail, mTail);
 
-        return true;
+    for (Addr i = cBase; i < cTail; ++i) {
+        data[i - mBase] = pktData[i - wBase];
     }
-    return false;
+
+    return cBase < cTail;
 }
-- 
cgit v1.2.3