From bbdd2ad0814ea0911076419ea21b7957505cf1cc Mon Sep 17 00:00:00 2001 From: David Gibson Date: Mon, 10 Sep 2012 12:30:56 +1000 Subject: qemu-char: BUGFIX, don't call FD_ISSET with negative fd tcp_chr_connect(), unlike for example udp_chr_update_read_handler() does not check if the fd it is using is valid (>= 0) before passing it to qemu_set_fd_handler2(). If using e.g. a TCP serial port, which is not initially connected, this can result in -1 being passed to FD_ISSET, which has undefined behaviour. On x86 it seems to harmlessly return 0, but on PowerPC, it causes a fortify buffer overflow error to be thrown. This patch fixes this by putting an extra test in tcp_chr_connect(), and also adds an assert qemu_set_fd_handler2() to catch other such errors on all platforms, rather than just some. Signed-off-by: David Gibson Signed-off-by: Anthony Liguori --- qemu-char.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'qemu-char.c') diff --git a/qemu-char.c b/qemu-char.c index 10d1504948..7f0f895157 100644 --- a/qemu-char.c +++ b/qemu-char.c @@ -2329,8 +2329,10 @@ static void tcp_chr_connect(void *opaque) TCPCharDriver *s = chr->opaque; s->connected = 1; - qemu_set_fd_handler2(s->fd, tcp_chr_read_poll, - tcp_chr_read, NULL, chr); + if (s->fd >= 0) { + qemu_set_fd_handler2(s->fd, tcp_chr_read_poll, + tcp_chr_read, NULL, chr); + } qemu_chr_generic_open(chr); } -- cgit v1.2.1