xemu-project/xemu
1
0
Fork 0
mirror of https://github.com/xemu-project/xemu.git synced 2024-11-27 05:20:50 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

qemu-char: BUGFIX, don't call FD_ISSET with negative fd

Browse Source 
tcp_chr_connect(), unlike for example udp_chr_update_read_handler() does
not check if the fd it is using is valid (>= 0) before passing it to
qemu_set_fd_handler2().  If using e.g. a TCP serial port, which is not
initially connected, this can result in -1 being passed to FD_ISSET, which
has undefined behaviour.  On x86 it seems to harmlessly return 0, but on
PowerPC, it causes a fortify buffer overflow error to be thrown.

This patch fixes this by putting an extra test in tcp_chr_connect(), and
also adds an assert qemu_set_fd_handler2() to catch other such errors on
all platforms, rather than just some.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
This commit is contained in:
David Gibson 2012-09-10 12:30:56 +10:00 committed by Anthony Liguori
parent 6db0fdce02
commit bbdd2ad081
2 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
iohandler.c
View File

@ -56,6 +56,8 @@ int qemu_set_fd_handler2(int fd,
{
IOHandlerRecord *ioh;
assert(fd >= 0);
if (!fd_read && !fd_write) {
QLIST_FOREACH(ioh, &io_handlers, next) {
if (ioh->fd == fd) {

6
qemu-char.c
View File

@ -2329,8 +2329,10 @@ static void tcp_chr_connect(void *opaque)
TCPCharDriver *s = chr->opaque;
s->connected = 1;
qemu_set_fd_handler2(s->fd, tcp_chr_read_poll,
tcp_chr_read, NULL, chr);
if (s->fd >= 0) {
qemu_set_fd_handler2(s->fd, tcp_chr_read_poll,
tcp_chr_read, NULL, chr);
}
qemu_chr_generic_open(chr);
}