diff options
| author |   Nelson Elhage <<nelhage@ksplice.com>> | 2011-05-19 13:23:17 -0400 |
|---|---|---|
| committer |   Doug Goldstein <cardoe@cardoe.com> | 2011-07-21 15:39:28 -0500 |
| commit | f3c2a669593d5f4bfa7aa002ccbbaaca013f8e2f (patch) | |
| tree | 53e9d55c04f02af6654d86499095426ed877af5b | |
| parent | spice-qemu-char: Fix flow control in client -> guest direction (diff) | |
| download | qemu-kvm-0.14.1-gentoo.tar.gz qemu-kvm-0.14.1-gentoo.tar.bz2 qemu-kvm-0.14.1-gentoo.zip | |
virtqueue: Sanity-check the length of indirect descriptors.qemu-kvm-0.14.1-gentoo-2qemu-kvm-0.14.1-gentoo
We were previously allowing arbitrarily-long descriptors, which could lead to a
buffer overflow in the qemu-kvm process.
| -rw-r--r-- | hw/virtio.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/hw/virtio.c b/hw/virtio.c index 31bd9e32d..1ad857336 100644 --- a/hw/virtio.c +++ b/hw/virtio.c @@ -336,6 +336,11 @@ int virtqueue_avail_bytes(VirtQueue *vq, int in_bytes, int out_bytes) max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc); num_bufs = i = 0; desc_pa = vring_desc_addr(desc_pa, i); + + if (max > VIRTQUEUE_MAX_SIZE) { + error_report("Too-large indirect descriptor"); + exit(1); + } } do { @@ -406,6 +411,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem) max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc); desc_pa = vring_desc_addr(desc_pa, i); i = 0; + + if (max > VIRTQUEUE_MAX_SIZE) { + error_report("Too-large indirect descriptor"); + exit(1); + } } /* Collect all the descriptors */ |