diff options
author | Isaku Yamahata <yamahata@valinux.co.jp> | 2010-07-28 23:08:42 +0000 |
---|---|---|
committer | Blue Swirl <blauwirbel@gmail.com> | 2010-08-30 20:06:35 +0000 |
commit | d729bb9a7700e364b1c5f9893d61f07a9e002bce (patch) | |
tree | b1344d5d36fb7b3b75365151436212333cc48c25 | |
parent | 02a89b219039621c940863aa5a9da4fec81a1546 (diff) |
acpi: fix file size check with -acpitable.
acpi table file can be modified during load so file size check
should be more strict.
pointer calculation should be after qemu_realloc(). not before realloc().
Signed-off-by: Isaku Yamahata <yamahata@valinux.co.jp>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
-rw-r--r-- | hw/acpi.c | 28 |
1 files changed, 19 insertions, 9 deletions
@@ -50,6 +50,8 @@ int acpi_table_add(const char *t) char buf[1024], *p, *f; struct acpi_table_header acpi_hdr; unsigned long val; + uint32_t length; + struct acpi_table_header *acpi_hdr_p; size_t off; memset(&acpi_hdr, 0, sizeof(acpi_hdr)); @@ -108,7 +110,7 @@ int acpi_table_add(const char *t) buf[0] = '\0'; } - acpi_hdr.length = sizeof(acpi_hdr); + length = sizeof(acpi_hdr); f = buf; while (buf[0]) { @@ -120,7 +122,7 @@ int acpi_table_add(const char *t) fprintf(stderr, "Can't stat file '%s': %s\n", f, strerror(errno)); goto out; } - acpi_hdr.length += s.st_size; + length += s.st_size; if (!n) break; *n = ':'; @@ -131,12 +133,12 @@ int acpi_table_add(const char *t) acpi_tables_len = sizeof(uint16_t); acpi_tables = qemu_mallocz(acpi_tables_len); } + acpi_tables = qemu_realloc(acpi_tables, + acpi_tables_len + sizeof(uint16_t) + length); p = acpi_tables + acpi_tables_len; - acpi_tables_len += sizeof(uint16_t) + acpi_hdr.length; - acpi_tables = qemu_realloc(acpi_tables, acpi_tables_len); + acpi_tables_len += sizeof(uint16_t) + length; - acpi_hdr.length = cpu_to_le32(acpi_hdr.length); - *(uint16_t*)p = acpi_hdr.length; + *(uint16_t*)p = cpu_to_le32(length); p += sizeof(uint16_t); memcpy(p, &acpi_hdr, sizeof(acpi_hdr)); off = sizeof(acpi_hdr); @@ -157,7 +159,9 @@ int acpi_table_add(const char *t) goto out; } - do { + /* off < length is necessary because file size can be changed + under our foot */ + while(s.st_size && off < length); { int r; r = read(fd, p + off, s.st_size); if (r > 0) { @@ -167,15 +171,21 @@ int acpi_table_add(const char *t) close(fd); goto out; } - } while(s.st_size); + } close(fd); if (!n) break; f = n + 1; } + if (off < length) { + /* don't pass random value in process to guest */ + memset(p + off, 0, length - off); + } - ((struct acpi_table_header*)p)->checksum = acpi_checksum((uint8_t*)p, off); + acpi_hdr_p = (struct acpi_table_header*)p; + acpi_hdr_p->length = cpu_to_le32(length); + acpi_hdr_p->checksum = acpi_checksum((uint8_t*)p, length); /* increase number of tables */ (*(uint16_t*)acpi_tables) = cpu_to_le32(le32_to_cpu(*(uint16_t*)acpi_tables) + 1); |