virtio-pci: don't crash on illegal length

Some guests seem to access cfg with an illegal length value. It's worth fixing them but debugging is easier if qemu does not crash. Signed-off-by: N Michael S. Tsirkin <mst@redhat.com>

virtio-pci: don't crash on illegal length
Some guests seem to access cfg with an illegal length value. It's worth fixing them but debugging is easier if qemu does not crash. Signed-off-by: N Michael S. Tsirkin <mst@redhat.com>
2a639123 · Michael S. Tsirkin · 8aedc369 · 2a639123
隐藏空白更改
内联并排

Showing with 4 addition and 2 deletion

hw/virtio/virtio-pci.c hw/virtio/virtio-pci.c +4 -2

未找到文件。
--- a/hw/virtio/virtio-pci.c
+++ b/hw/virtio/virtio-pci.c
@@ -546,7 +546,8 @@ static void virtio_write_config(PCIDevice *pci_dev, uint32_t address,
        off = le32_to_cpu(cfg->cap.offset);
        len = le32_to_cpu(cfg->cap.length);

-        if (len <= sizeof cfg->pci_cfg_data) {
+        if (len == 1 || len == 2 || len == 4) {
+            assert(len <= sizeof cfg->pci_cfg_data);
            virtio_address_space_write(&proxy->modern_as, off,
                                       cfg->pci_cfg_data, len);
        }
@@ -570,7 +571,8 @@ static uint32_t virtio_read_config(PCIDevice *pci_dev,
        off = le32_to_cpu(cfg->cap.offset);
        len = le32_to_cpu(cfg->cap.length);

-        if (len <= sizeof cfg->pci_cfg_data) {
+        if (len == 1 || len == 2 || len == 4) {
+            assert(len <= sizeof cfg->pci_cfg_data);
            virtio_address_space_read(&proxy->modern_as, off,
                                      cfg->pci_cfg_data, len);
        }