summaryrefslogtreecommitdiff
path: root/iohandler.c
diff options
context:
space:
mode:
authorDavid Gibson <david@gibson.dropbear.id.au>2012-09-10 12:30:56 +1000
committerAnthony Liguori <aliguori@us.ibm.com>2012-09-17 10:18:48 -0500
commitbbdd2ad0814ea0911076419ea21b7957505cf1cc (patch)
tree183f2c2e48f2a743711823b09c012740897ac7a3 /iohandler.c
parent6db0fdce02d72546a4c47100a9b2cd0090cf464d (diff)
downloadqemu-bbdd2ad0814ea0911076419ea21b7957505cf1cc.tar.gz
qemu-bbdd2ad0814ea0911076419ea21b7957505cf1cc.tar.bz2
qemu-bbdd2ad0814ea0911076419ea21b7957505cf1cc.zip
qemu-char: BUGFIX, don't call FD_ISSET with negative fd
tcp_chr_connect(), unlike for example udp_chr_update_read_handler() does not check if the fd it is using is valid (>= 0) before passing it to qemu_set_fd_handler2(). If using e.g. a TCP serial port, which is not initially connected, this can result in -1 being passed to FD_ISSET, which has undefined behaviour. On x86 it seems to harmlessly return 0, but on PowerPC, it causes a fortify buffer overflow error to be thrown. This patch fixes this by putting an extra test in tcp_chr_connect(), and also adds an assert qemu_set_fd_handler2() to catch other such errors on all platforms, rather than just some. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Diffstat (limited to 'iohandler.c')
-rw-r--r--iohandler.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/iohandler.c b/iohandler.c
index dea43552d2..a2d871bb91 100644
--- a/iohandler.c
+++ b/iohandler.c
@@ -56,6 +56,8 @@ int qemu_set_fd_handler2(int fd,
{
IOHandlerRecord *ioh;
+ assert(fd >= 0);
+
if (!fd_read && !fd_write) {
QLIST_FOREACH(ioh, &io_handlers, next) {
if (ioh->fd == fd) {