On Thu, Apr 25, 2013 at 03:43:27PM +0800, Jason Wang wrote:
> In fact we don't support zero length config length for virtio device. And it
> can
> lead outbound memory access. So abort on zero config length to catch the bug
> earlier.
>
> Signed-off-by: Jason Wang <jasow...@redhat.com>
Acked-by: Michael S. Tsirkin <m...@redhat.com>
> ---
> hw/virtio/virtio.c | 7 ++-----
> 1 files changed, 2 insertions(+), 5 deletions(-)
>
> diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
> index 1c2282c..a6fa667 100644
> --- a/hw/virtio/virtio.c
> +++ b/hw/virtio/virtio.c
> @@ -923,6 +923,7 @@ void virtio_init(VirtIODevice *vdev, const char *name,
> uint16_t device_id, size_t config_size)
> {
> int i;
> + assert(config_size);
> vdev->device_id = device_id;
> vdev->status = 0;
> vdev->isr = 0;
> @@ -938,11 +939,7 @@ void virtio_init(VirtIODevice *vdev, const char *name,
>
> vdev->name = name;
> vdev->config_len = config_size;
> - if (vdev->config_len) {
> - vdev->config = g_malloc0(config_size);
> - } else {
> - vdev->config = NULL;
> - }
> + vdev->config = g_malloc0(config_size);
> vdev->vmstate = qemu_add_vm_change_state_handler(virtio_vmstate_change,
> vdev);
> }
> --
> 1.7.1
