virtio: check vring descriptor buffer length

virtio back end uses set of buffers to facilitate I/O operations. An infinite loop unfolds in virtqueue_pop() if a buffer was of zero size. Add check to avoid it. Reported-by: Li Qiang <liqiang6-s@360.cn> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
author: Prasad J Pandit <pjp@fedoraproject.org> 2016-07-27 21:07:56 +0530
committer: Michael S. Tsirkin <mst@redhat.com> 2016-07-29 00:07:10 +0300
commit: 1e7aed70144b4673fc26e73062064b6724795e5f (patch)
tree: d6cf8775d16eeb42d4e292a33568b9715fedae63 /hw
parent: 9a4c0e220d8a4f82b5665d0ee95ef94d8e1509d5 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 752b2715d0..b4d05110d2 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -458,6 +458,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
     unsigned num_sg = *p_num_sg;
     assert(num_sg <= max_num_sg);
 
+    if (!sz) {
+        error_report("virtio: zero sized buffers are not allowed");
+        exit(1);
+    }
+
     while (sz) {
         hwaddr len = sz;
author	Prasad J Pandit <pjp@fedoraproject.org>	2016-07-27 21:07:56 +0530
committer	Michael S. Tsirkin <mst@redhat.com>	2016-07-29 00:07:10 +0300
commit	1e7aed70144b4673fc26e73062064b6724795e5f (patch)
tree	d6cf8775d16eeb42d4e292a33568b9715fedae63 /hw
parent	9a4c0e220d8a4f82b5665d0ee95ef94d8e1509d5 (diff)