summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAvi Kivity <avi@redhat.com>2012-01-09 13:59:50 +0200
committerAvi Kivity <avi@redhat.com>2012-01-09 13:59:50 +0200
commit637f7a6a01e09bc39f7b3a24257a9cd6ea396ca0 (patch)
treedee4bbeb6cc64db9d622542587363ea84af23321
parentd743c382861eaa1e13f503b05aba5a382a7e7f7c (diff)
downloadqemu-637f7a6a01e09bc39f7b3a24257a9cd6ea396ca0.tar.gz
qemu-637f7a6a01e09bc39f7b3a24257a9cd6ea396ca0.tar.bz2
qemu-637f7a6a01e09bc39f7b3a24257a9cd6ea396ca0.zip
vhost: fix mem_sections memory corruption
A memset() used to delete an entry in an array did not take into account the array element's size. Signed-off-by: Avi Kivity <avi@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com>
-rw-r--r--hw/vhost.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/hw/vhost.c b/hw/vhost.c
index 541c7163b2..d924fb0e4d 100644
--- a/hw/vhost.c
+++ b/hw/vhost.c
@@ -456,7 +456,7 @@ static void vhost_region_del(MemoryListener *listener,
== section->offset_within_address_space) {
--dev->n_mem_sections;
memmove(&dev->mem_sections[i], &dev->mem_sections[i+1],
- dev->n_mem_sections - i);
+ (dev->n_mem_sections - i) * sizeof(*dev->mem_sections));
break;
}
}