diff options
| author | Peter Maydell <peter.maydell@linaro.org> | 2025-07-21 10:07:53 +0100 |
|---|---|---|
| committer | Peter Maydell <peter.maydell@linaro.org> | 2025-07-21 10:07:53 +0100 |
| commit | 8ccd35f25cdf2e03f44585a11b7daf93d1d46a3a (patch) | |
| tree | 9431b7706d60c8f1448e76e160247a041d3ab1f2 | |
| parent | 655659a74a36b63e33d2dc969d3c44beb1b008b3 (diff) | |
| download | qemu-8ccd35f25cdf2e03f44585a11b7daf93d1d46a3a.zip qemu-8ccd35f25cdf2e03f44585a11b7daf93d1d46a3a.tar.gz qemu-8ccd35f25cdf2e03f44585a11b7daf93d1d46a3a.tar.bz2 | |
hw/misc/ivshmem-pci: Improve error handling
Coverity points out that the ivshmem-pci code has some error handling
cases where it incorrectly tries to use an invalid filedescriptor.
These generally happen because ivshmem_recv_msg() calls
qemu_chr_fe_get_msgfd(), which might return -1, but the code in
process_msg() generally assumes that the file descriptor was provided
when it was supposed to be. In particular:
* the error case in process_msg() only needs to close the fd
if one was provided
* process_msg_shmem() should fail if no fd was provided
Coverity: CID 1508726
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Message-id: 20250711145012.1521936-1-peter.maydell@linaro.org
| -rw-r--r-- | hw/misc/ivshmem-pci.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/hw/misc/ivshmem-pci.c b/hw/misc/ivshmem-pci.c index 5a10bca..d47ae73 100644 --- a/hw/misc/ivshmem-pci.c +++ b/hw/misc/ivshmem-pci.c @@ -479,6 +479,11 @@ static void process_msg_shmem(IVShmemState *s, int fd, Error **errp) struct stat buf; size_t size; + if (fd < 0) { + error_setg(errp, "server didn't provide fd with shared memory message"); + return; + } + if (s->ivshmem_bar2) { error_setg(errp, "server sent unexpected shared memory message"); close(fd); @@ -553,7 +558,9 @@ static void process_msg(IVShmemState *s, int64_t msg, int fd, Error **errp) if (msg < -1 || msg > IVSHMEM_MAX_PEERS) { error_setg(errp, "server sent invalid message %" PRId64, msg); - close(fd); + if (fd >= 0) { + close(fd); + } return; } |