From 485fc28751b0b14fa6c02130c014e97f2c71279c Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Wed, 25 Mar 2009 11:38:29 +0000 Subject: [PATCH] passthrough: fix buffer overflow of vslots Assuming we assign n devices, strlen(direct_pci) can be 13n and the length of the old 'vslots' is 13n/3 which is smaller than 5n+1 (1 slot_str takes 5 bytes). So we have to malloc a bigger buffer for vslots. Signed-off-by: Dexuan Cui --- hw/pass-through.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/hw/pass-through.c b/hw/pass-through.c index 8a63dcee..b82fdf99 100644 --- a/hw/pass-through.c +++ b/hw/pass-through.c @@ -3931,10 +3931,22 @@ int pt_init(PCIBus *e_bus, const char *direct_pci) if ( !(direct_pci_head = direct_pci_p = strdup(direct_pci)) ) return 0; - /* the virtual pci slots of all pass-through devs - * with hex format: xx;xx...; + /* The minimal format of direct_pci: xxxx:xx:xx.x-xxxx:xx:xx.x-... It may + * be even longer considering the per-device opts(see the parsing for + * '/local/domain/0/backend/pci/XX/YY/opts-ZZ' in + * xenstore_parse_domain_config(). + * + * The format of vslots(virtual pci slots of all pass-through devs): + * 0xXX;0xXX;... (see the code below). + * + * We're sure the length of direct_pci is bigger than that of vslots. */ - vslots = qemu_mallocz ( strlen(direct_pci) / 3 ); + vslots = qemu_mallocz(strlen(direct_pci) + 1); + if ( vslots == NULL ) + { + status = -1; + goto err; + } /* Assign given devices to guest */ while ( next_bdf(&direct_pci_p, &seg, &b, &d, &f, &opt) ) -- 2.39.5