]> rtime.felk.cvut.cz Git - lisovros/qemu_apohw.git/commitdiff
projects / lisovros / qemu_apohw.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 590fe57)
virtio-ccw: range check in READ_VQ_CONF
authorCornelia Huck <cornelia.huck@de.ibm.com>
Fri, 20 Mar 2015 12:16:20 +0000 (13:16 +0100)
committerCornelia Huck <cornelia.huck@de.ibm.com>
Mon, 30 Mar 2015 07:25:17 +0000 (09:25 +0200)
Processing for READ_VQ_CONF needs to check whether the requested queue
value is actually in the supported range and post a channel program
check if not.

Cc: qemu-stable@nongnu.org
Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
hw/s390x/virtio-ccw.c patch | blob | history

diff --git a/hw/s390x/virtio-ccw.c b/hw/s390x/virtio-ccw.c
index ceb6a457035024e629728bd55f7edd637e00c9dc..d32ecafe9811c22c41a7ebbff171c57db62f3041 100644 (file)
--- a/hw/s390x/virtio-ccw.c
+++ b/hw/s390x/virtio-ccw.c
@@ -549,6 +549,10 @@ static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw)
             ret = -EFAULT;
         } else {
             vq_config.index = lduw_be_phys(&address_space_memory, ccw.cda);
+            if (vq_config.index >= VIRTIO_PCI_QUEUE_MAX) {
+                ret = -EINVAL;
+                break;
+            }
             vq_config.num_max = virtio_queue_get_num(vdev,
                                                      vq_config.index);
             stw_be_phys(&address_space_memory,
Virtual HW used in A0B36APO subject