From d03a363054f1cc58d4e6653ff09fbbe8121a0302 Mon Sep 17 00:00:00 2001
From: Cornelia Huck <cornelia.huck@de.ibm.com>
Date: Fri, 20 Mar 2015 13:16:20 +0100
Subject: virtio-ccw: range check in READ_VQ_CONF

Processing for READ_VQ_CONF needs to check whether the requested queue
value is actually in the supported range and post a channel program
check if not.

Cc: qemu-stable@nongnu.org
Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
---
 hw/s390x/virtio-ccw.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'hw/s390x/virtio-ccw.c')

diff --git a/hw/s390x/virtio-ccw.c b/hw/s390x/virtio-ccw.c
index ceb6a45703..d32ecafe98 100644
--- a/hw/s390x/virtio-ccw.c
+++ b/hw/s390x/virtio-ccw.c
@@ -549,6 +549,10 @@ static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw)
             ret = -EFAULT;
         } else {
             vq_config.index = lduw_be_phys(&address_space_memory, ccw.cda);
+            if (vq_config.index >= VIRTIO_PCI_QUEUE_MAX) {
+                ret = -EINVAL;
+                break;
+            }
             vq_config.num_max = virtio_queue_get_num(vdev,
                                                      vq_config.index);
             stw_be_phys(&address_space_memory,
-- 
cgit v1.2.3