ivshmem: fix number of bytes to push to fifo

If the fifo has 0 bytes, and the read is of size 1, the call to fifo8_push_all() will copy off boundary data. Signed-off-by: N Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: N Claudio Fontana <claudio.fontana@huawei.com>

ivshmem: fix number of bytes to push to fifo
If the fifo has 0 bytes, and the read is of size 1, the call to fifo8_push_all() will copy off boundary data. Signed-off-by: N Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: N Claudio Fontana <claudio.fontana@huawei.com>
951dada6 · Marc-André Lureau · b8ab854b · 951dada6
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

hw/misc/ivshmem.c hw/misc/ivshmem.c +1 -1

未找到文件。
--- a/hw/misc/ivshmem.c
+++ b/hw/misc/ivshmem.c
@@ -455,7 +455,7 @@ static void ivshmem_read(void *opaque, const uint8_t *buf, int size)
        uint32_t num;
        IVSHMEM_DPRINTF("short read of %d bytes\n", size);
-        num = MAX(size, sizeof(long) - fifo8_num_used(&s->incoming_fifo));
+        num = MIN(size, sizeof(long) - fifo8_num_used(&s->incoming_fifo));
        fifo8_push_all(&s->incoming_fifo, buf, num);
        if (fifo8_num_used(&s->incoming_fifo) < sizeof(incoming_posn)) {
            return;