ssi-sd: fix buffer overrun on invalid state load

author Michael S. Tsirkin <mst@redhat.com>

Mon, 28 Apr 2014 13:08:14 +0000 (16:08 +0300)

committer Michael Roth <mdroth@linux.vnet.ibm.com>

Mon, 21 Jul 2014 03:05:55 +0000 (22:05 -0500)
author Michael S. Tsirkin <mst@redhat.com>
Mon, 28 Apr 2014 13:08:14 +0000 (16:08 +0300)
committer Michael Roth <mdroth@linux.vnet.ibm.com>
Mon, 21 Jul 2014 03:05:55 +0000 (22:05 -0500)
diff --git a/hw/sd/ssi-sd.c b/hw/sd/ssi-sd.c

index 3273c8a31f64e4d76f3e38c91282000e8faa2eb6..b012e57f6439e05881ac42a66e870521da0c61a7 100644 (file)
--- a/hw/sd/ssi-sd.c
+++ b/hw/sd/ssi-sd.c
@@ -230,8 +230,17 @@ static int ssi_sd_load(QEMUFile *f, void *opaque, int version_id)
      for (i = 0; i < 5; i++)
          s->response[i] = qemu_get_be32(f);
      s->arglen = qemu_get_be32(f);
+    if (s->mode == SSI_SD_CMDARG &&
+        (s->arglen < 0 || s->arglen >= ARRAY_SIZE(s->cmdarg))) {
+        return -EINVAL;
+    }
      s->response_pos = qemu_get_be32(f);
      s->stopping = qemu_get_be32(f);
+    if (s->mode == SSI_SD_RESPONSE &&
+        (s->response_pos < 0 || s->response_pos >= ARRAY_SIZE(s->response) ||
+        (!s->stopping && s->arglen > ARRAY_SIZE(s->response)))) {
+        return -EINVAL;
+    }
  
      ss->cs = qemu_get_be32(f);
author	Michael S. Tsirkin <mst@redhat.com>
	Mon, 28 Apr 2014 13:08:14 +0000 (16:08 +0300)
committer	Michael Roth <mdroth@linux.vnet.ibm.com>
	Mon, 21 Jul 2014 03:05:55 +0000 (22:05 -0500)