Am 14.04.2014 17:33, schrieb Peter Maydell:
> On 31 March 2014 08:08, Stefan Hajnoczi <stefa...@redhat.com> wrote:
>> The third argument to the fd_read() callback implemented by
>> ivshmem_read() is the number of bytes, not a flags field. Fix this and
>> check we received enough bytes before accessing the buffer pointer.
>>
>> Cc: Cam Macdonell <c...@cs.ualberta.ca>
>> Reported-by: Sebastian Krahmer <krah...@suse.de>
>> Signed-off-by: Stefan Hajnoczi <stefa...@redhat.com>
>> ---
>> hw/misc/ivshmem.c | 7 ++++++-
>> 1 file changed, 6 insertions(+), 1 deletion(-)
>>
>> diff --git a/hw/misc/ivshmem.c b/hw/misc/ivshmem.c
>> index 8d144ba..78363ce 100644
>> --- a/hw/misc/ivshmem.c
>> +++ b/hw/misc/ivshmem.c
>> @@ -420,13 +420,18 @@ static void increase_dynamic_storage(IVShmemState *s,
>> int new_min_size) {
>> }
>> }
>>
>> -static void ivshmem_read(void *opaque, const uint8_t * buf, int flags)
>> +static void ivshmem_read(void *opaque, const uint8_t * buf, int size)
>> {
>> IVShmemState *s = opaque;
>> int incoming_fd, tmp_fd;
>> int guest_max_eventfd;
>> long incoming_posn;
>>
>> + if (size < sizeof(incoming_posn)) {
>> + IVSHMEM_DPRINTF("short read of %d bytes\n", size);
>> + return;
>> + }
>> +
>
> Looking at the qemu-chr API I'm not sure this is correct:
> aren't we going to throw away data here? My guess is that we
> need to save the half-a-word so we can use it when the
> other half arrives in a subsequent call.
CC'ing Gerd.
Andreas
>
> thanks
> -- PMM
>
--
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg
