When the guest writes something to a host, we copied over the entire buffer first into the host and then processed it. Do away with that, it could result in a malicious guest causing a DoS on the host.
Reported-by: Paul Brook <p...@codesourcery.com> Signed-off-by: Amit Shah <amit.s...@redhat.com> --- hw/virtio-serial-bus.c | 16 ++++++++-------- 1 files changed, 8 insertions(+), 8 deletions(-) diff --git a/hw/virtio-serial-bus.c b/hw/virtio-serial-bus.c index ecf0056..a0886a2 100644 --- a/hw/virtio-serial-bus.c +++ b/hw/virtio-serial-bus.c @@ -125,16 +125,16 @@ static void do_flush_queued_data(VirtIOSerialPort *port, VirtQueue *vq, return; } while (virtqueue_pop(vq, &elem)) { - uint8_t *buf; - size_t ret, buf_size; + unsigned int i; - if (!discard) { - buf_size = iov_size(elem.out_sg, elem.out_num); - buf = qemu_malloc(buf_size); - ret = iov_to_buf(elem.out_sg, elem.out_num, buf, 0, buf_size); + for (i = 0; !discard && i < elem.out_num; i++) { + size_t buf_size; - port->info->have_data(port, buf, ret); - qemu_free(buf); + buf_size = elem.out_sg[i].iov_len; + + port->info->have_data(port, + elem.out_sg[i].iov_base, + buf_size); } virtqueue_push(vq, &elem, 0); } -- 1.7.3.2