char: serial: check divider value against baud base

16550A UART device uses an oscillator to generate frequencies (baud base), which decide communication speed. This speed could be changed by dividing it by a divider. If the divider is greater than the baud base, speed is set to zero, leading to a divide by zero error. Add check to avoid it. Reported-by: Huawei PSIRT <psirt@huawei.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Message-Id: <1476251888-20238-1-git-send-email-ppandit@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
author: Prasad J Pandit <pjp@fedoraproject.org> 2016-10-12 11:28:08 +0530
committer: Paolo Bonzini <pbonzini@redhat.com> 2016-10-24 15:27:19 +0200
commit: 3592fe0c919cf27a81d8e9f9b4f269553418bb01 (patch)
tree: 95788cb96c4b005dfc13ec10de448c5419d24ce2 /hw
parent: 0a752eeea810a1c37f5de4edba355c35cfa42524 (diff)
download: qemu-3592fe0c919cf27a81d8e9f9b4f269553418bb01.tar.gz
qemu-3592fe0c919cf27a81d8e9f9b4f269553418bb01.tar.bz2
qemu-3592fe0c919cf27a81d8e9f9b4f269553418bb01.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/hw/char/serial.c b/hw/char/serial.c
index 3442f47d36..eec72b7b9e 100644
--- a/hw/char/serial.c
+++ b/hw/char/serial.c
@@ -153,8 +153,9 @@ static void serial_update_parameters(SerialState *s)
     int speed, parity, data_bits, stop_bits, frame_size;
     QEMUSerialSetParams ssp;
 
-    if (s->divider == 0)
+    if (s->divider == 0 || s->divider > s->baudbase) {
         return;
+    }
 
     /* Start bit. */
     frame_size = 1;
author	Prasad J Pandit <pjp@fedoraproject.org>	2016-10-12 11:28:08 +0530
committer	Paolo Bonzini <pbonzini@redhat.com>	2016-10-24 15:27:19 +0200
commit	3592fe0c919cf27a81d8e9f9b4f269553418bb01 (patch)
tree	95788cb96c4b005dfc13ec10de448c5419d24ce2 /hw
parent	0a752eeea810a1c37f5de4edba355c35cfa42524 (diff)
download	qemu-3592fe0c919cf27a81d8e9f9b4f269553418bb01.tar.gz qemu-3592fe0c919cf27a81d8e9f9b4f269553418bb01.tar.bz2 qemu-3592fe0c919cf27a81d8e9f9b4f269553418bb01.zip