The third argument to the fd_read() callback implemented by
ivshmem_read() is the number of bytes, not a flags field. Fix this and
check we received enough bytes before accessing the buffer pointer.
Cc: Cam Macdonell <c...@cs.ualberta.ca>
Reported-by: Sebastian Krahmer <krah...@suse.de>
Signed-off-by: Stefan Hajnoczi <stefa...@redhat.com>
---
hw/misc/ivshmem.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/hw/misc/ivshmem.c b/hw/misc/ivshmem.c
index 8d144ba..78363ce 100644
--- a/hw/misc/ivshmem.c
+++ b/hw/misc/ivshmem.c
@@ -420,13 +420,18 @@ static void increase_dynamic_storage(IVShmemState *s, int
new_min_size) {
}
}
-static void ivshmem_read(void *opaque, const uint8_t * buf, int flags)
+static void ivshmem_read(void *opaque, const uint8_t * buf, int size)
{
IVShmemState *s = opaque;
int incoming_fd, tmp_fd;
int guest_max_eventfd;
long incoming_posn;
+ if (size < sizeof(incoming_posn)) {
+ IVSHMEM_DPRINTF("short read of %d bytes\n", size);
+ return;
+ }
+
memcpy(&incoming_posn, buf, sizeof(long));
/* pick off s->server_chr->msgfd and store it, posn should accompany msg */
tmp_fd = qemu_chr_fe_get_msgfd(s->server_chr);
--
1.9.0
