From d03a363054f1cc58d4e6653ff09fbbe8121a0302 Mon Sep 17 00:00:00 2001 From: Cornelia Huck <cornelia.huck@de.ibm.com> Date: Fri, 20 Mar 2015 13:16:20 +0100 Subject: virtio-ccw: range check in READ_VQ_CONF Processing for READ_VQ_CONF needs to check whether the requested queue value is actually in the supported range and post a channel program check if not. Cc: qemu-stable@nongnu.org Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com> Acked-by: Christian Borntraeger <borntraeger@de.ibm.com> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com> --- hw/s390x/virtio-ccw.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'hw/s390x/virtio-ccw.c') diff --git a/hw/s390x/virtio-ccw.c b/hw/s390x/virtio-ccw.c index ceb6a45703..d32ecafe98 100644 --- a/hw/s390x/virtio-ccw.c +++ b/hw/s390x/virtio-ccw.c @@ -549,6 +549,10 @@ static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw) ret = -EFAULT; } else { vq_config.index = lduw_be_phys(&address_space_memory, ccw.cda); + if (vq_config.index >= VIRTIO_PCI_QUEUE_MAX) { + ret = -EINVAL; + break; + } vq_config.num_max = virtio_queue_get_num(vdev, vq_config.index); stw_be_phys(&address_space_memory, -- cgit v1.2.3