qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [PULL 2/4] virtio-pci: don't crash on illegal length

From: Michael S. Tsirkin
Subject: [Qemu-devel] [PULL 2/4] virtio-pci: don't crash on illegal length
Date: Mon, 13 Jul 2015 15:04:37 +0300 
Some guests seem to access cfg with an illegal length value.
It's worth fixing them but debugging is easier if
qemu does not crash.

Signed-off-by: Michael S. Tsirkin <address@hidden>
---
 hw/virtio/virtio-pci.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
index 6ca0258..c5e8cc0 100644
--- a/hw/virtio/virtio-pci.c
+++ b/hw/virtio/virtio-pci.c
@@ -546,7 +546,8 @@ static void virtio_write_config(PCIDevice *pci_dev, 
uint32_t address,
         off = le32_to_cpu(cfg->cap.offset);
         len = le32_to_cpu(cfg->cap.length);
 
-        if (len <= sizeof cfg->pci_cfg_data) {
+        if (len == 1 || len == 2 || len == 4) {
+            assert(len <= sizeof cfg->pci_cfg_data);
             virtio_address_space_write(&proxy->modern_as, off,
                                        cfg->pci_cfg_data, len);
         }
@@ -570,7 +571,8 @@ static uint32_t virtio_read_config(PCIDevice *pci_dev,
         off = le32_to_cpu(cfg->cap.offset);
         len = le32_to_cpu(cfg->cap.length);
 
-        if (len <= sizeof cfg->pci_cfg_data) {
+        if (len == 1 || len == 2 || len == 4) {
+            assert(len <= sizeof cfg->pci_cfg_data);
             virtio_address_space_read(&proxy->modern_as, off,
                                       cfg->pci_cfg_data, len);
         }
-- 
MST
reply via email to
[Prev in Thread] Current Thread [Next in Thread]