[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[win-pv-devel] [PATCH] Fix 0xD6 bugcheck found with verifier

To: <win-pv-devel@xxxxxxxxxxxxxxxxxxxx>
From: Paul Durrant <paul.durrant@xxxxxxxxxx>
Date: Mon, 15 Dec 2014 14:36:22 +0000
Cc: Paul Durrant <paul.durrant@xxxxxxxxxx>
Delivery-date: Mon, 15 Dec 2014 14:43:15 +0000
List-id: Developer list for the Windows PV Drivers subproject <win-pv-devel.lists.xenproject.org>

PdoAddRevision() reads beyond the end of an allocation when copying the old
revision table to the new one. This is becaause it is incorrectly using the
Count stack variable rather then the Count field in the Pdo structure. This
patch fixes the problem.

Signed-off-by: Paul Durrant <paul.durrant@xxxxxxxxxx>
---
 src/xenbus/pdo.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/xenbus/pdo.c b/src/xenbus/pdo.c
index 65f63e5..aa9e5bc 100644
--- a/src/xenbus/pdo.c
+++ b/src/xenbus/pdo.c
@@ -316,7 +316,9 @@ PdoAddRevision(
         goto fail1;
 
     if (Pdo->Revision != NULL) {
-        RtlCopyMemory(Revision, Pdo->Revision, sizeof (ULONG) * Count);
+        RtlCopyMemory(Revision,
+                      Pdo->Revision,
+                      sizeof (ULONG) * Pdo->Count);
         __PdoFree(Pdo->Revision);
     }
 
-- 
2.1.1


_______________________________________________
win-pv-devel mailing list
win-pv-devel@xxxxxxxxxxxxxxxxxxxx
http://lists.xenproject.org/cgi-bin/mailman/listinfo/win-pv-devel

Prev by Date: Re: [win-pv-devel] [PATCH 04/10] Separate checking upcall_pending in shared info from EvtchnPoll
Next by Date: [win-pv-devel] [PATCH] Fix free-at-wrong-IRQL bug
Previous by thread: [win-pv-devel] [PATCH] Add missing function type
Next by thread: [win-pv-devel] [PATCH] Fix free-at-wrong-IRQL bug
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.