virtio-pci: don't crash on illegal length

Some guests seem to access cfg with an illegal length value. It's worth fixing them but debugging is easier if qemu does not crash. Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
author: Michael S. Tsirkin <mst@redhat.com> 2015-07-13 10:32:50 +0300
committer: Michael S. Tsirkin <mst@redhat.com> 2015-07-13 14:42:24 +0300
commit: 2a6391232fa58f32469fb61d55343eff32a91083 (patch)
tree: 5bfbc98f9b3a2893d20497e44cdf3c3309eb8ad5 /hw/virtio
parent: 8aedc369c6ae4fb4c4c6920f703b000015df3d8d (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
index 6ca0258067..c5e8cc041f 100644
--- a/hw/virtio/virtio-pci.c
+++ b/hw/virtio/virtio-pci.c
@@ -546,7 +546,8 @@ static void virtio_write_config(PCIDevice *pci_dev, uint32_t address,
         off = le32_to_cpu(cfg->cap.offset);
         len = le32_to_cpu(cfg->cap.length);
 
-        if (len <= sizeof cfg->pci_cfg_data) {
+        if (len == 1 || len == 2 || len == 4) {
+            assert(len <= sizeof cfg->pci_cfg_data);
             virtio_address_space_write(&proxy->modern_as, off,
                                        cfg->pci_cfg_data, len);
         }
@@ -570,7 +571,8 @@ static uint32_t virtio_read_config(PCIDevice *pci_dev,
         off = le32_to_cpu(cfg->cap.offset);
         len = le32_to_cpu(cfg->cap.length);
 
-        if (len <= sizeof cfg->pci_cfg_data) {
+        if (len == 1 || len == 2 || len == 4) {
+            assert(len <= sizeof cfg->pci_cfg_data);
             virtio_address_space_read(&proxy->modern_as, off,
                                       cfg->pci_cfg_data, len);
         }
author	Michael S. Tsirkin <mst@redhat.com>	2015-07-13 10:32:50 +0300
committer	Michael S. Tsirkin <mst@redhat.com>	2015-07-13 14:42:24 +0300
commit	2a6391232fa58f32469fb61d55343eff32a91083 (patch)
tree	5bfbc98f9b3a2893d20497e44cdf3c3309eb8ad5 /hw/virtio
parent	8aedc369c6ae4fb4c4c6920f703b000015df3d8d (diff)