[kvm-commits] [PATCH] kvm: qemu: validate the SG list layouts in virtio

[Avi Kivity]

From: Anthony Liguori <[EMAIL PROTECTED]>

We should check that the first element is the size we expect instead of
just casting blindly.

Signed-off-by: Anthony Liguori <[EMAIL PROTECTED]>
Signed-off-by: Avi Kivity <[EMAIL PROTECTED]>

diff --git a/qemu/hw/virtio-blk.c b/qemu/hw/virtio-blk.c
index 3af36db..048285a 100644
--- a/qemu/hw/virtio-blk.c
+++ b/qemu/hw/virtio-blk.c
@@ -56,8 +56,6 @@ struct virtio_blk_outhdr
     uint32_t ioprio;
     /* Sector (ie. 512 byte offset) */
     uint64_t sector;
-    /* Where to put reply. */
-    uint64_t id;
 };
 
 #define VIRTIO_BLK_S_OK                0
@@ -94,6 +92,17 @@ static void virtio_blk_handle_output(VirtIODevice *vdev, 
VirtQueue *vq)
        off_t off;
        int i;
 
+       if (elem.out_num < 1 || elem.in_num < 1) {
+           fprintf(stderr, "virtio-blk missing headers\n");
+           exit(1);
+       }
+
+       if (elem.out_sg[0].iov_len != sizeof(*out) ||
+           elem.in_sg[elem.in_num - 1].iov_len != sizeof(*in)) {
+           fprintf(stderr, "virtio-blk header not in correct element\n");
+           exit(1);
+       }
+
        out = (void *)elem.out_sg[0].iov_base;
        in = (void *)elem.in_sg[elem.in_num - 1].iov_base;
        off = out->sector;
diff --git a/qemu/hw/virtio-net.c b/qemu/hw/virtio-net.c
index f727b14..5ac5089 100644
--- a/qemu/hw/virtio-net.c
+++ b/qemu/hw/virtio-net.c
@@ -125,6 +125,11 @@ static void virtio_net_receive(void *opaque, const uint8_t 
*buf, int size)
        return;
     }
 
+    if (elem.in_num < 1 || elem.in_sg[0].iov_len != sizeof(*hdr)) {
+       fprintf(stderr, "virtio-net header not in first element\n");
+       exit(1);
+    }
+
     hdr = (void *)elem.in_sg[0].iov_base;
     hdr->flags = 0;
     hdr->gso_type = VIRTIO_NET_HDR_GSO_NONE;
@@ -197,6 +202,11 @@ void virtio_net_poll(void)
                 continue;
             }
 
+           if (elem.in_num < 1 || elem.in_sg[0].iov_len != sizeof(*hdr)) {
+               fprintf(stderr, "virtio-net header not in first element\n");
+               exit(1);
+           }
+
             hdr = (void *)elem.in_sg[0].iov_base;
             hdr->flags = 0;
             hdr->gso_type = VIRTIO_NET_HDR_GSO_NONE;

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
kvm-commits mailing list
kvm-commits@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/kvm-commits