In fact we don't support zero length config length for virtio device. And it can
lead outbound memory access. So abort on zero config length to catch the bug
earlier.
Signed-off-by: Jason Wang <jasow...@redhat.com>
---
hw/virtio/virtio.c | 7 ++-----
1 files changed, 2 insertions(+), 5 deletions(-)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 1c2282c..a6fa667 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -923,6 +923,7 @@ void virtio_init(VirtIODevice *vdev, const char *name,
uint16_t device_id, size_t config_size)
{
int i;
+ assert(config_size);
vdev->device_id = device_id;
vdev->status = 0;
vdev->isr = 0;
@@ -938,11 +939,7 @@ void virtio_init(VirtIODevice *vdev, const char *name,
vdev->name = name;
vdev->config_len = config_size;
- if (vdev->config_len) {
- vdev->config = g_malloc0(config_size);
- } else {
- vdev->config = NULL;
- }
+ vdev->config = g_malloc0(config_size);
vdev->vmstate = qemu_add_vm_change_state_handler(virtio_vmstate_change,
vdev);
}
--
1.7.1
