From bbdd2ad0814ea0911076419ea21b7957505cf1cc Mon Sep 17 00:00:00 2001 From: David Gibson Date: Mon, 10 Sep 2012 12:30:56 +1000 Subject: [PATCH] qemu-char: BUGFIX, don't call FD_ISSET with negative fd tcp_chr_connect(), unlike for example udp_chr_update_read_handler() does not check if the fd it is using is valid (>= 0) before passing it to qemu_set_fd_handler2(). If using e.g. a TCP serial port, which is not initially connected, this can result in -1 being passed to FD_ISSET, which has undefined behaviour. On x86 it seems to harmlessly return 0, but on PowerPC, it causes a fortify buffer overflow error to be thrown. This patch fixes this by putting an extra test in tcp_chr_connect(), and also adds an assert qemu_set_fd_handler2() to catch other such errors on all platforms, rather than just some. Signed-off-by: David Gibson Signed-off-by: Anthony Liguori --- iohandler.c | 2 ++ qemu-char.c | 6 ++++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/iohandler.c b/iohandler.c index dea43552d2..a2d871bb91 100644 --- a/iohandler.c +++ b/iohandler.c @@ -56,6 +56,8 @@ int qemu_set_fd_handler2(int fd, { IOHandlerRecord *ioh; + assert(fd >= 0); + if (!fd_read && !fd_write) { QLIST_FOREACH(ioh, &io_handlers, next) { if (ioh->fd == fd) { diff --git a/qemu-char.c b/qemu-char.c index 10d1504948..7f0f895157 100644 --- a/qemu-char.c +++ b/qemu-char.c @@ -2329,8 +2329,10 @@ static void tcp_chr_connect(void *opaque) TCPCharDriver *s = chr->opaque; s->connected = 1; - qemu_set_fd_handler2(s->fd, tcp_chr_read_poll, - tcp_chr_read, NULL, chr); + if (s->fd >= 0) { + qemu_set_fd_handler2(s->fd, tcp_chr_read_poll, + tcp_chr_read, NULL, chr); + } qemu_chr_generic_open(chr); } -- 2.11.4.GIT