summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNelson Elhage <&lt;nelhage@ksplice.com&gt>2011-05-19 13:23:17 -0400
committerDoug Goldstein <cardoe@cardoe.com>2011-07-21 15:39:28 -0500
commitf3c2a669593d5f4bfa7aa002ccbbaaca013f8e2f (patch)
tree53e9d55c04f02af6654d86499095426ed877af5b
parentspice-qemu-char: Fix flow control in client -> guest direction (diff)
downloadqemu-kvm-0.14.1-gentoo.tar.gz
qemu-kvm-0.14.1-gentoo.tar.bz2
qemu-kvm-0.14.1-gentoo.zip
virtqueue: Sanity-check the length of indirect descriptors.qemu-kvm-0.14.1-gentoo-2qemu-kvm-0.14.1-gentoo
We were previously allowing arbitrarily-long descriptors, which could lead to a buffer overflow in the qemu-kvm process.
-rw-r--r--hw/virtio.c10
1 files changed, 10 insertions, 0 deletions
diff --git a/hw/virtio.c b/hw/virtio.c
index 31bd9e32d..1ad857336 100644
--- a/hw/virtio.c
+++ b/hw/virtio.c
@@ -336,6 +336,11 @@ int virtqueue_avail_bytes(VirtQueue *vq, int in_bytes, int out_bytes)
max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
num_bufs = i = 0;
desc_pa = vring_desc_addr(desc_pa, i);
+
+ if (max > VIRTQUEUE_MAX_SIZE) {
+ error_report("Too-large indirect descriptor");
+ exit(1);
+ }
}
do {
@@ -406,6 +411,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem)
max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
desc_pa = vring_desc_addr(desc_pa, i);
i = 0;
+
+ if (max > VIRTQUEUE_MAX_SIZE) {
+ error_report("Too-large indirect descriptor");
+ exit(1);
+ }
}
/* Collect all the descriptors */