| commit | bbdd2ad0814ea0911076419ea21b7957505cf1cc | |
| author | David Gibson <david@gibson.dropbear.id.au> | |
| Mon, 10 Sep 2012 02:30:56 +0000 (10 12:30 +1000) | ||
| committer | Anthony Liguori <aliguori@us.ibm.com> | |
| Mon, 17 Sep 2012 15:18:48 +0000 (17 10:18 -0500) | ||
| tree | 183f2c2e48f2a743711823b09c012740897ac7a3 | treesnapshot (tar.gz zip) |
| parent | 6db0fdce02d72546a4c47100a9b2cd0090cf464d | commitdiff |
qemu-char: BUGFIX, don't call FD_ISSET with negative fd
tcp_chr_connect(), unlike for example udp_chr_update_read_handler() does
not check if the fd it is using is valid (>= 0) before passing it to
qemu_set_fd_handler2(). If using e.g. a TCP serial port, which is not
initially connected, this can result in -1 being passed to FD_ISSET, which
has undefined behaviour. On x86 it seems to harmlessly return 0, but on
PowerPC, it causes a fortify buffer overflow error to be thrown.
This patch fixes this by putting an extra test in tcp_chr_connect(), and
also adds an assert qemu_set_fd_handler2() to catch other such errors on
all platforms, rather than just some.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
tcp_chr_connect(), unlike for example udp_chr_update_read_handler() does
not check if the fd it is using is valid (>= 0) before passing it to
qemu_set_fd_handler2(). If using e.g. a TCP serial port, which is not
initially connected, this can result in -1 being passed to FD_ISSET, which
has undefined behaviour. On x86 it seems to harmlessly return 0, but on
PowerPC, it causes a fortify buffer overflow error to be thrown.
This patch fixes this by putting an extra test in tcp_chr_connect(), and
also adds an assert qemu_set_fd_handler2() to catch other such errors on
all platforms, rather than just some.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
| iohandler.c | diffblobblamehistory | |
| qemu-char.c | diffblobblamehistory |