diff options
| author | Prasad J Pandit <pjp@fedoraproject.org> | 2016-07-27 21:07:56 +0530 |
|---|---|---|
| committer | Michael S. Tsirkin <mst@redhat.com> | 2016-07-29 00:07:10 +0300 |
| commit | 1e7aed70144b4673fc26e73062064b6724795e5f (patch) | |
| tree | d6cf8775d16eeb42d4e292a33568b9715fedae63 | |
| parent | 9a4c0e220d8a4f82b5665d0ee95ef94d8e1509d5 (diff) | |
| download | qemu-1e7aed70144b4673fc26e73062064b6724795e5f.tar.gz | |
virtio: check vring descriptor buffer length
virtio back end uses set of buffers to facilitate I/O operations.
An infinite loop unfolds in virtqueue_pop() if a buffer was
of zero size. Add check to avoid it.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
| -rw-r--r-- | hw/virtio/virtio.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c index 752b2715d0..b4d05110d2 100644 --- a/hw/virtio/virtio.c +++ b/hw/virtio/virtio.c @@ -458,6 +458,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove unsigned num_sg = *p_num_sg; assert(num_sg <= max_num_sg); + if (!sz) { + error_report("virtio: zero sized buffers are not allowed"); + exit(1); + } + while (sz) { hwaddr len = sz; |