diff options
| author | David Gibson <david@gibson.dropbear.id.au> | 2012-09-10 12:30:56 +1000 |
|---|---|---|
| committer | Anthony Liguori <aliguori@us.ibm.com> | 2012-09-17 10:18:48 -0500 |
| commit | bbdd2ad0814ea0911076419ea21b7957505cf1cc (patch) | |
| tree | 183f2c2e48f2a743711823b09c012740897ac7a3 /qemu-char.c | |
| parent | 6db0fdce02d72546a4c47100a9b2cd0090cf464d (diff) | |
| download | qemu-bbdd2ad0814ea0911076419ea21b7957505cf1cc.tar.gz qemu-bbdd2ad0814ea0911076419ea21b7957505cf1cc.tar.bz2 qemu-bbdd2ad0814ea0911076419ea21b7957505cf1cc.zip | |
qemu-char: BUGFIX, don't call FD_ISSET with negative fd
tcp_chr_connect(), unlike for example udp_chr_update_read_handler() does
not check if the fd it is using is valid (>= 0) before passing it to
qemu_set_fd_handler2(). If using e.g. a TCP serial port, which is not
initially connected, this can result in -1 being passed to FD_ISSET, which
has undefined behaviour. On x86 it seems to harmlessly return 0, but on
PowerPC, it causes a fortify buffer overflow error to be thrown.
This patch fixes this by putting an extra test in tcp_chr_connect(), and
also adds an assert qemu_set_fd_handler2() to catch other such errors on
all platforms, rather than just some.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Diffstat (limited to 'qemu-char.c')
| -rw-r--r-- | qemu-char.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/qemu-char.c b/qemu-char.c index 10d1504948..7f0f895157 100644 --- a/qemu-char.c +++ b/qemu-char.c @@ -2329,8 +2329,10 @@ static void tcp_chr_connect(void *opaque) TCPCharDriver *s = chr->opaque; s->connected = 1; - qemu_set_fd_handler2(s->fd, tcp_chr_read_poll, - tcp_chr_read, NULL, chr); + if (s->fd >= 0) { + qemu_set_fd_handler2(s->fd, tcp_chr_read_poll, + tcp_chr_read, NULL, chr); + } qemu_chr_generic_open(chr); } |