Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
 hw/sd/sd.c | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index f0eaac4d42..489d13681d 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -56,6 +56,8 @@ do { fprintf(stderr, "SD: " fmt , ## __VA_ARGS__); } while (0)
 #define OCR_POWER_UP            0x80000000
 #define OCR_POWER_DELAY_NS      500000 /* 0.5ms */
 
+#define SDCARD_CMD_MAX 64
+
 typedef enum {
     sd_r0 = 0,    /* no response */
     sd_r1,        /* normal response command */
@@ -176,18 +178,21 @@ static void sd_set_mode(SDState *sd)
     }
 }
 
-static const sd_cmd_type_t sd_cmd_type[64] = {
+static const sd_cmd_type_t sd_cmd_type[SDCARD_CMD_MAX] = {
     sd_bc,   sd_none, sd_bcr,  sd_bcr,  sd_none, sd_none, sd_none, sd_ac,
     sd_bcr,  sd_ac,   sd_ac,   sd_adtc, sd_ac,   sd_ac,   sd_none, sd_ac,
+    /* 16 */
     sd_ac,   sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
     sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac,   sd_ac,   sd_adtc, sd_none,
+    /* 32 */
     sd_ac,   sd_ac,   sd_none, sd_none, sd_none, sd_none, sd_ac,   sd_none,
     sd_none, sd_none, sd_bc,   sd_none, sd_none, sd_none, sd_none, sd_none,
+    /* 48 */
     sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
     sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
 };
 
-static const int sd_cmd_class[64] = {
+static const int sd_cmd_class[SDCARD_CMD_MAX] = {
     0,  0,  0,  0,  0,  9, 10,  0,  0,  0,  0,  1,  0,  0,  0,  0,
     2,  2,  2,  2,  3,  3,  3,  3,  4,  4,  4,  4,  6,  6,  6,  6,
     5,  5, 10, 10, 10, 10,  5,  9,  9,  9,  7,  7,  7,  7,  7,  7,
@@ -787,8 +792,8 @@ static sd_rsp_type_t sd_normal_command(SDState *sd,
     /* Not interpreting this as an app command */
     sd->card_status &= ~APP_CMD;
 
-    if (sd_cmd_type[req.cmd & 0x3F] == sd_ac
-        || sd_cmd_type[req.cmd & 0x3F] == sd_adtc) {
+    if (sd_cmd_type[req.cmd] == sd_ac
+        || sd_cmd_type[req.cmd] == sd_adtc) {
         rca = req.arg >> 16;
     }
 
@@ -1495,8 +1500,8 @@ static int cmd_valid_while_locked(SDState *sd, SDRequest *req)
     if (req->cmd == 16 || req->cmd == 55) {
         return 1;
     }
-    return sd_cmd_class[req->cmd & 0x3F] == 0
-            || sd_cmd_class[req->cmd & 0x3F] == 7;
+    return sd_cmd_class[req->cmd] == 0
+            || sd_cmd_class[req->cmd] == 7;
 }
 
 int sd_do_command(SDState *sd, SDRequest *req,
@@ -1515,6 +1520,12 @@ int sd_do_command(SDState *sd, SDRequest *req,
         goto send_response;
     }
 
+    if (req->cmd >= SDCARD_CMD_MAX) {
+        qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
+                      req->cmd);
+        req->cmd &= 0x3f;
+    }
+
     if (sd->card_status & CARD_IS_LOCKED) {
         if (!cmd_valid_while_locked(sd, req)) {
             sd->card_status |= ILLEGAL_COMMAND;
-- 
2.15.1

On Wed, Jan 3, 2018 at 1:24 PM, Philippe Mathieu-Daudé <f4bug@amsat.org> wrote:
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>

Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>

Alistair

> ---
>  hw/sd/sd.c | 23 +++++++++++++++++------
>  1 file changed, 17 insertions(+), 6 deletions(-)
>
> diff --git a/hw/sd/sd.c b/hw/sd/sd.c
> index f0eaac4d42..489d13681d 100644
> --- a/hw/sd/sd.c
> +++ b/hw/sd/sd.c
> @@ -56,6 +56,8 @@ do { fprintf(stderr, "SD: " fmt , ## __VA_ARGS__); } while (0)
>  #define OCR_POWER_UP            0x80000000
>  #define OCR_POWER_DELAY_NS      500000 /* 0.5ms */
>
> +#define SDCARD_CMD_MAX 64
> +
>  typedef enum {
>      sd_r0 = 0,    /* no response */
>      sd_r1,        /* normal response command */
> @@ -176,18 +178,21 @@ static void sd_set_mode(SDState *sd)
>      }
>  }
>
> -static const sd_cmd_type_t sd_cmd_type[64] = {
> +static const sd_cmd_type_t sd_cmd_type[SDCARD_CMD_MAX] = {
>      sd_bc,   sd_none, sd_bcr,  sd_bcr,  sd_none, sd_none, sd_none, sd_ac,
>      sd_bcr,  sd_ac,   sd_ac,   sd_adtc, sd_ac,   sd_ac,   sd_none, sd_ac,
> +    /* 16 */
>      sd_ac,   sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
>      sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac,   sd_ac,   sd_adtc, sd_none,
> +    /* 32 */
>      sd_ac,   sd_ac,   sd_none, sd_none, sd_none, sd_none, sd_ac,   sd_none,
>      sd_none, sd_none, sd_bc,   sd_none, sd_none, sd_none, sd_none, sd_none,
> +    /* 48 */
>      sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
>      sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
>  };
>
> -static const int sd_cmd_class[64] = {
> +static const int sd_cmd_class[SDCARD_CMD_MAX] = {
>      0,  0,  0,  0,  0,  9, 10,  0,  0,  0,  0,  1,  0,  0,  0,  0,
>      2,  2,  2,  2,  3,  3,  3,  3,  4,  4,  4,  4,  6,  6,  6,  6,
>      5,  5, 10, 10, 10, 10,  5,  9,  9,  9,  7,  7,  7,  7,  7,  7,
> @@ -787,8 +792,8 @@ static sd_rsp_type_t sd_normal_command(SDState *sd,
>      /* Not interpreting this as an app command */
>      sd->card_status &= ~APP_CMD;
>
> -    if (sd_cmd_type[req.cmd & 0x3F] == sd_ac
> -        || sd_cmd_type[req.cmd & 0x3F] == sd_adtc) {
> +    if (sd_cmd_type[req.cmd] == sd_ac
> +        || sd_cmd_type[req.cmd] == sd_adtc) {
>          rca = req.arg >> 16;
>      }
>
> @@ -1495,8 +1500,8 @@ static int cmd_valid_while_locked(SDState *sd, SDRequest *req)
>      if (req->cmd == 16 || req->cmd == 55) {
>          return 1;
>      }
> -    return sd_cmd_class[req->cmd & 0x3F] == 0
> -            || sd_cmd_class[req->cmd & 0x3F] == 7;
> +    return sd_cmd_class[req->cmd] == 0
> +            || sd_cmd_class[req->cmd] == 7;
>  }
>
>  int sd_do_command(SDState *sd, SDRequest *req,
> @@ -1515,6 +1520,12 @@ int sd_do_command(SDState *sd, SDRequest *req,
>          goto send_response;
>      }
>
> +    if (req->cmd >= SDCARD_CMD_MAX) {
> +        qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
> +                      req->cmd);
> +        req->cmd &= 0x3f;
> +    }
> +
>      if (sd->card_status & CARD_IS_LOCKED) {
>          if (!cmd_valid_while_locked(sd, req)) {
>              sd->card_status |= ILLEGAL_COMMAND;
> --
> 2.15.1
>
>