aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCornelia Huck <cornelia.huck@de.ibm.com>2015-03-20 13:16:20 +0100
committerCornelia Huck <cornelia.huck@de.ibm.com>2015-03-30 09:25:17 +0200
commitd03a363054f1cc58d4e6653ff09fbbe8121a0302 (patch)
tree822f7563560e86edb27d0b31de1ff54aa3417ac9
parent590fe5722b522e492a9c78adadae4def35b137dd (diff)
downloadqemu-arm-d03a363054f1cc58d4e6653ff09fbbe8121a0302.tar.gz
virtio-ccw: range check in READ_VQ_CONF
Processing for READ_VQ_CONF needs to check whether the requested queue value is actually in the supported range and post a channel program check if not. Cc: qemu-stable@nongnu.org Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com> Acked-by: Christian Borntraeger <borntraeger@de.ibm.com> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
-rw-r--r--hw/s390x/virtio-ccw.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/hw/s390x/virtio-ccw.c b/hw/s390x/virtio-ccw.c
index ceb6a45703..d32ecafe98 100644
--- a/hw/s390x/virtio-ccw.c
+++ b/hw/s390x/virtio-ccw.c
@@ -549,6 +549,10 @@ static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw)
ret = -EFAULT;
} else {
vq_config.index = lduw_be_phys(&address_space_memory, ccw.cda);
+ if (vq_config.index >= VIRTIO_PCI_QUEUE_MAX) {
+ ret = -EINVAL;
+ break;
+ }
vq_config.num_max = virtio_queue_get_num(vdev,
vq_config.index);
stw_be_phys(&address_space_memory,