diff options
| author | Amit Shah <amit.shah@redhat.com> | 2010-12-10 17:29:49 +0530 |
|---|---|---|
| committer | Amit Shah <amit.shah@redhat.com> | 2011-01-20 14:38:21 +0530 |
| commit | 471344db88cc3e7adf7664aa34d54ce0cacc3419 (patch) | |
| tree | 2ccb7824ae371a0e8055e19e269d92f06d781359 /hw/virtio-serial-bus.c | |
| parent | 6bff86560d42a9c391cf1e502ebd764c293c4d02 (diff) | |
| download | qemu-471344db88cc3e7adf7664aa34d54ce0cacc3419.tar.gz | |
virtio-serial: Don't copy over guest buffer to host
When the guest writes something to a host, we copied over the entire
buffer first into the host and then processed it. Do away with that, it
could result in a malicious guest causing a DoS on the host.
Reported-by: Paul Brook <paul@codesourcery.com>
Signed-off-by: Amit Shah <amit.shah@redhat.com>
Diffstat (limited to 'hw/virtio-serial-bus.c')
| -rw-r--r-- | hw/virtio-serial-bus.c | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/hw/virtio-serial-bus.c b/hw/virtio-serial-bus.c index e8c2a168ec..6726f72b6f 100644 --- a/hw/virtio-serial-bus.c +++ b/hw/virtio-serial-bus.c @@ -132,16 +132,17 @@ static void do_flush_queued_data(VirtIOSerialPort *port, VirtQueue *vq, assert(virtio_queue_ready(vq)); while (!port->throttled && virtqueue_pop(vq, &elem)) { - uint8_t *buf; - size_t ret, buf_size; + unsigned int i; - buf_size = iov_size(elem.out_sg, elem.out_num); - buf = qemu_malloc(buf_size); - ret = iov_to_buf(elem.out_sg, elem.out_num, buf, 0, buf_size); + for (i = 0; i < elem.out_num; i++) { + size_t buf_size; - port->info->have_data(port, buf, ret); - qemu_free(buf); + buf_size = elem.out_sg[i].iov_len; + port->info->have_data(port, + elem.out_sg[i].iov_base, + buf_size); + } virtqueue_push(vq, &elem, 0); } virtio_notify(vdev, vq); |