git.proxmox.com Git - qemu.git/commit

author	David Gibson <david@gibson.dropbear.id.au>
	Mon, 10 Sep 2012 02:30:56 +0000 (12:30 +1000)
committer	Michael Roth <mdroth@linux.vnet.ibm.com>
	Fri, 12 Oct 2012 02:44:19 +0000 (21:44 -0500)
commit	8484fead29c731a5902b1c183e64c179a13a15b8
tree	030f49e8eb78e9dd7ee3e3e326a66ee6e66bd315	tree
parent	57683d635420c8cd01e67db3b0129d9b143913b3	commit \| diff

qemu-char: BUGFIX, don't call FD_ISSET with negative fd

tcp_chr_connect(), unlike for example udp_chr_update_read_handler() does
not check if the fd it is using is valid (>= 0) before passing it to
qemu_set_fd_handler2(). If using e.g. a TCP serial port, which is not
initially connected, this can result in -1 being passed to FD_ISSET, which
has undefined behaviour. On x86 it seems to harmlessly return 0, but on
PowerPC, it causes a fortify buffer overflow error to be thrown.

This patch fixes this by putting an extra test in tcp_chr_connect(), and
also adds an assert qemu_set_fd_handler2() to catch other such errors on
all platforms, rather than just some.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit bbdd2ad0814ea0911076419ea21b7957505cf1cc)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

iohandler.c		diff \| blob \| blame \| history
qemu-char.c		diff \| blob \| blame \| history