diff options
| author | Keir Fraser <keir@xensource.com> | 2007-09-26 09:19:12 +0100 |
|---|---|---|
| committer | Keir Fraser <keir@xensource.com> | 2007-09-26 09:19:12 +0100 |
| commit | b85210e23c64c43efefa86fa1f701d5172d4556b (patch) | |
| tree | f94e3ea030041fa6f4140a170914219992066c2b /tools | |
| parent | 8f198985116c64b6503393618e046dc0c1d0efca (diff) | |
| download | xen-b85210e23c64c43efefa86fa1f701d5172d4556b.tar.gz xen-b85210e23c64c43efefa86fa1f701d5172d4556b.tar.bz2 xen-b85210e23c64c43efefa86fa1f701d5172d4556b.zip | |
ioemu: security fixes for not-built or not-default-configured subsystems.
Patches originally proposed by S. Caglar Onur and cleaned up for
xen-unstable by Robert Buchholz <rbu@gentoo.org>.
Signed-off-by: Keir Fraser <keir@xensource.com>
Diffstat (limited to 'tools')
| -rw-r--r-- | tools/ioemu/hw/fdc.c | 9 | ||||
| -rw-r--r-- | tools/ioemu/hw/ne2000.c | 8 | ||||
| -rw-r--r-- | tools/ioemu/hw/sb16.c | 6 |
3 files changed, 17 insertions, 6 deletions
diff --git a/tools/ioemu/hw/fdc.c b/tools/ioemu/hw/fdc.c index 0012834f44..dc2ea6ebff 100644 --- a/tools/ioemu/hw/fdc.c +++ b/tools/ioemu/hw/fdc.c @@ -1100,8 +1100,13 @@ static uint32_t fdctrl_read_data (fdctrl_t *fdctrl) len = fdctrl->data_len - fdctrl->data_pos; if (len > FD_SECTOR_LEN) len = FD_SECTOR_LEN; - bdrv_read(cur_drv->bs, fd_sector(cur_drv), - fdctrl->fifo, len); + if (cur_drv->bs) { + bdrv_read(cur_drv->bs, fd_sector(cur_drv), + fdctrl->fifo, len); + } else { + FLOPPY_ERROR("can't read data from drive\n"); + return 0; + } } } retval = fdctrl->fifo[pos]; diff --git a/tools/ioemu/hw/ne2000.c b/tools/ioemu/hw/ne2000.c index 92720e0811..82168c020d 100644 --- a/tools/ioemu/hw/ne2000.c +++ b/tools/ioemu/hw/ne2000.c @@ -252,7 +252,7 @@ static void ne2000_receive(void *opaque, const uint8_t *buf, int size) { NE2000State *s = opaque; uint8_t *p; - int total_len, next, avail, len, index, mcast_idx; + unsigned int total_len, next, avail, len, index, mcast_idx; uint8_t buf1[60]; static const uint8_t broadcast_macaddr[6] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; @@ -327,7 +327,11 @@ static void ne2000_receive(void *opaque, const uint8_t *buf, int size) /* write packet data */ while (size > 0) { - avail = s->stop - index; + /* taviso: this can wrap, so check its okay. */ + if (index <= s->stop) + avail = s->stop - index; + else + avail = 0; len = size; if (len > avail) len = avail; diff --git a/tools/ioemu/hw/sb16.c b/tools/ioemu/hw/sb16.c index 04325ac031..387330f414 100644 --- a/tools/ioemu/hw/sb16.c +++ b/tools/ioemu/hw/sb16.c @@ -1235,8 +1235,10 @@ static int SB_read_DMA (void *opaque, int nchan, int dma_pos, int dma_len) s->block_size); #endif - while (s->left_till_irq <= 0) { - s->left_till_irq = s->block_size + s->left_till_irq; + if (s->block_size) { + while (s->left_till_irq <= 0) { + s->left_till_irq = s->block_size + s->left_till_irq; + } } return dma_pos; |