[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen-unstable] ioemu: security fixes for not-built or not-default-configured subsystems.
# HG changeset patch # User Keir Fraser <keir@xxxxxxxxxxxxx> # Date 1190794752 -3600 # Node ID 0b873d909ad30e554a3ffebf14176e7257a3e023 # Parent 3c1e76dda38b2e584637a3acdb0b7d14eefd2024 ioemu: security fixes for not-built or not-default-configured subsystems. Patches originally proposed by S. Caglar Onur and cleaned up for xen-unstable by Robert Buchholz <rbu@xxxxxxxxxx>. Signed-off-by: Keir Fraser <keir@xxxxxxxxxxxxx> --- tools/ioemu/hw/fdc.c | 9 +++++++-- tools/ioemu/hw/ne2000.c | 8 ++++++-- tools/ioemu/hw/sb16.c | 6 ++++-- 3 files changed, 17 insertions(+), 6 deletions(-) diff -r 3c1e76dda38b -r 0b873d909ad3 tools/ioemu/hw/fdc.c --- a/tools/ioemu/hw/fdc.c Wed Sep 26 09:15:34 2007 +0100 +++ b/tools/ioemu/hw/fdc.c Wed Sep 26 09:19:12 2007 +0100 @@ -1100,8 +1100,13 @@ static uint32_t fdctrl_read_data (fdctrl len = fdctrl->data_len - fdctrl->data_pos; if (len > FD_SECTOR_LEN) len = FD_SECTOR_LEN; - bdrv_read(cur_drv->bs, fd_sector(cur_drv), - fdctrl->fifo, len); + if (cur_drv->bs) { + bdrv_read(cur_drv->bs, fd_sector(cur_drv), + fdctrl->fifo, len); + } else { + FLOPPY_ERROR("can't read data from drive\n"); + return 0; + } } } retval = fdctrl->fifo[pos]; diff -r 3c1e76dda38b -r 0b873d909ad3 tools/ioemu/hw/ne2000.c --- a/tools/ioemu/hw/ne2000.c Wed Sep 26 09:15:34 2007 +0100 +++ b/tools/ioemu/hw/ne2000.c Wed Sep 26 09:19:12 2007 +0100 @@ -252,7 +252,7 @@ static void ne2000_receive(void *opaque, { NE2000State *s = opaque; uint8_t *p; - int total_len, next, avail, len, index, mcast_idx; + unsigned int total_len, next, avail, len, index, mcast_idx; uint8_t buf1[60]; static const uint8_t broadcast_macaddr[6] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; @@ -327,7 +327,11 @@ static void ne2000_receive(void *opaque, /* write packet data */ while (size > 0) { - avail = s->stop - index; + /* taviso: this can wrap, so check its okay. */ + if (index <= s->stop) + avail = s->stop - index; + else + avail = 0; len = size; if (len > avail) len = avail; diff -r 3c1e76dda38b -r 0b873d909ad3 tools/ioemu/hw/sb16.c --- a/tools/ioemu/hw/sb16.c Wed Sep 26 09:15:34 2007 +0100 +++ b/tools/ioemu/hw/sb16.c Wed Sep 26 09:19:12 2007 +0100 @@ -1235,8 +1235,10 @@ static int SB_read_DMA (void *opaque, in s->block_size); #endif - while (s->left_till_irq <= 0) { - s->left_till_irq = s->block_size + s->left_till_irq; + if (s->block_size) { + while (s->left_till_irq <= 0) { + s->left_till_irq = s->block_size + s->left_till_irq; + } } return dma_pos; _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |