Re: [Qemu-devel] [PATCH 2/2] ivshmem: validate incoming_posn value from server

Peter Maydell Mon, 14 Apr 2014 07:27:25 -0700

On 31 March 2014 08:08, Stefan Hajnoczi <stefa...@redhat.com> wrote:
> Check incoming_posn to avoid out-of-bounds array accesses if the ivshmem
> server on the host sends invalid values.
>
> Cc: Cam Macdonell <c...@cs.ualberta.ca>
> Reported-by: Sebastian Krahmer <krah...@suse.de>
> Signed-off-by: Stefan Hajnoczi <stefa...@redhat.com>
> ---
>  hw/misc/ivshmem.c | 9 +++++++++
>  1 file changed, 9 insertions(+)
>
> diff --git a/hw/misc/ivshmem.c b/hw/misc/ivshmem.c
> index 78363ce..25c22b7 100644
> --- a/hw/misc/ivshmem.c
> +++ b/hw/misc/ivshmem.c
> @@ -383,6 +383,9 @@ static void close_guest_eventfds(IVShmemState *s, int 
> posn)
>      if (!ivshmem_has_feature(s, IVSHMEM_IOEVENTFD)) {
>          return;
>      }
> +    if (posn < 0 || posn > s->nb_peers) {
> +        return;
> +    }
>
>      guest_curr_max = s->peers[posn].nb_eventfds;


Shouldn't the upper bound check be checking ">=", not ">" ?

thanks
-- PMM

Re: [Qemu-devel] [PATCH 2/2] ivshmem: validate incoming_posn value from server

Reply via email to