From 637f7a6a01e09bc39f7b3a24257a9cd6ea396ca0 Mon Sep 17 00:00:00 2001
From: Avi Kivity <avi@redhat.com>
Date: Mon, 9 Jan 2012 13:59:50 +0200
Subject: [PATCH] vhost: fix mem_sections memory corruption

A memset() used to delete an entry in an array did not take into account
the array element's size.

Signed-off-by: Avi Kivity <avi@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
---
 hw/vhost.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/vhost.c b/hw/vhost.c
index 541c7163b2..d924fb0e4d 100644
--- a/hw/vhost.c
+++ b/hw/vhost.c
@@ -456,7 +456,7 @@ static void vhost_region_del(MemoryListener *listener,
             == section->offset_within_address_space) {
             --dev->n_mem_sections;
             memmove(&dev->mem_sections[i], &dev->mem_sections[i+1],
-                    dev->n_mem_sections - i);
+                    (dev->n_mem_sections - i) * sizeof(*dev->mem_sections));
             break;
         }
     }
-- 
GitLab