From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:53010)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanha@redhat.com>) id 1WUWKl-0008Gt-7o
	for qemu-devel@nongnu.org; Mon, 31 Mar 2014 03:08:44 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <stefanha@redhat.com>) id 1WUWKf-0003rB-EJ
	for qemu-devel@nongnu.org; Mon, 31 Mar 2014 03:08:39 -0400
Received: from mx1.redhat.com ([209.132.183.28]:34497)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanha@redhat.com>) id 1WUWKf-0003qt-6B
	for qemu-devel@nongnu.org; Mon, 31 Mar 2014 03:08:33 -0400
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Mon, 31 Mar 2014 09:08:10 +0200
Message-Id: <1396249691-29990-2-git-send-email-stefanha@redhat.com>
In-Reply-To: <1396249691-29990-1-git-send-email-stefanha@redhat.com>
References: <1396249691-29990-1-git-send-email-stefanha@redhat.com>
Subject: [Qemu-devel] [PATCH 1/2] ivshmem: check ivshmem_read() size argument
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: Cam Macdonell <cam@cs.ualberta.ca>, Stefan Hajnoczi <stefanha@redhat.com>

The third argument to the fd_read() callback implemented by
ivshmem_read() is the number of bytes, not a flags field.  Fix this and
check we received enough bytes before accessing the buffer pointer.

Cc: Cam Macdonell <cam@cs.ualberta.ca>
Reported-by: Sebastian Krahmer <krahmer@suse.de>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 hw/misc/ivshmem.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/hw/misc/ivshmem.c b/hw/misc/ivshmem.c
index 8d144ba..78363ce 100644
--- a/hw/misc/ivshmem.c
+++ b/hw/misc/ivshmem.c
@@ -420,13 +420,18 @@ static void increase_dynamic_storage(IVShmemState *s, int new_min_size) {
     }
 }
 
-static void ivshmem_read(void *opaque, const uint8_t * buf, int flags)
+static void ivshmem_read(void *opaque, const uint8_t * buf, int size)
 {
     IVShmemState *s = opaque;
     int incoming_fd, tmp_fd;
     int guest_max_eventfd;
     long incoming_posn;
 
+    if (size < sizeof(incoming_posn)) {
+        IVSHMEM_DPRINTF("short read of %d bytes\n", size);
+        return;
+    }
+
     memcpy(&incoming_posn, buf, sizeof(long));
     /* pick off s->server_chr->msgfd and store it, posn should accompany msg */
     tmp_fd = qemu_chr_fe_get_msgfd(s->server_chr);
-- 
1.9.0