|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH]ioemu: fix buffer overflow of vslots
Assuming we assign n devices, strlen(direct_pci) can be 13n and the length of
the old 'vslots' is 13n/3 which is smaller than 5n+1 (1 slot_str takes 5 bytes).
So we have to malloc a bigger buffer for vslots.
Signed-off-by: Dexuan Cui <dexuan.cui@xxxxxxxxx>
diff --git a/hw/pass-through.c b/hw/pass-through.c
index f5cdcdd..07cd4f4 100644
--- a/hw/pass-through.c
+++ b/hw/pass-through.c
@@ -3934,10 +3934,22 @@ int pt_init(PCIBus *e_bus, const char *direct_pci)
if ( !(direct_pci_head = direct_pci_p = strdup(direct_pci)) )
return 0;
- /* the virtual pci slots of all pass-through devs
- * with hex format: xx;xx...;
+ /* The minimal format of direct_pci: xxxx:xx:xx.x-xxxx:xx:xx.x-... It may
+ * be even longer considering the per-device opts(see the parsing for
+ * '/local/domain/0/backend/pci/XX/YY/opts-ZZ' in
+ * xenstore_parse_domain_config().
+ *
+ * The format of vslots(virtual pci slots of all pass-through devs):
+ * 0xXX;0xXX;... (see the code below).
+ *
+ * We're sure the length of direct_pci is bigger than that of vslots.
*/
- vslots = qemu_mallocz ( strlen(direct_pci) / 3 );
+ vslots = qemu_mallocz(strlen(direct_pci) + 1);
+ if ( vslots == NULL )
+ {
+ status = -1;
+ goto err;
+ }
/* Assign given devices to guest */
while ( next_bdf(&direct_pci_p, &seg, &b, &d, &f, &opt) )
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |