aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPeter Maydell <peter.maydell@linaro.org>2014-02-26 17:19:58 +0000
committerPeter Maydell <peter.maydell@linaro.org>2014-02-26 17:19:58 +0000
commitcba933b2257ef0ad241756a0ff86bc0acda685ca (patch)
tree35868822a83885717fbba7376769024a54b62e56
parent106a73b6d200035c5156f90b5f9b6a53d3adb43b (diff)
hw/timer/arm_timer: Avoid array overrun for bad addresses
The integrator's timer read/write functions log an error for bad addresses in guest accesses, but were falling through and using an out of bounds array index rather than returning early. Fix this. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Andreas Färber <afaerber@suse.de> Message-id: 1392647854-8067-4-git-send-email-peter.maydell@linaro.org Cc: qemu-stable@nongnu.org
-rw-r--r--hw/timer/arm_timer.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/hw/timer/arm_timer.c b/hw/timer/arm_timer.c
index a47afde23a..fb0a45c889 100644
--- a/hw/timer/arm_timer.c
+++ b/hw/timer/arm_timer.c
@@ -320,6 +320,7 @@ static uint64_t icp_pit_read(void *opaque, hwaddr offset,
n = offset >> 8;
if (n > 2) {
qemu_log_mask(LOG_GUEST_ERROR, "%s: Bad timer %d\n", __func__, n);
+ return 0;
}
return arm_timer_read(s->timer[n], offset & 0xff);
@@ -334,6 +335,7 @@ static void icp_pit_write(void *opaque, hwaddr offset,
n = offset >> 8;
if (n > 2) {
qemu_log_mask(LOG_GUEST_ERROR, "%s: Bad timer %d\n", __func__, n);
+ return;
}
arm_timer_write(s->timer[n], offset & 0xff, value);