aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGonglei <arei.gonglei@huawei.com>2015-02-10 15:51:22 +0800
committerMichael Tokarev <mjt@tls.msk.ru>2015-03-10 08:15:33 +0300
commitd4cd45028898a37afb45fb449954115b4960d4e9 (patch)
tree879eaec793d6dba41194bb07c5e99eb74f30f9e1
parent277263e1b320d759a760ba6c5ea75ec268f929e5 (diff)
downloadqemu-d4cd45028898a37afb45fb449954115b4960d4e9.zip
qemu-d4cd45028898a37afb45fb449954115b4960d4e9.tar.gz
qemu-d4cd45028898a37afb45fb449954115b4960d4e9.tar.bz2
xen-pt: fix Negative array index read
Coverity spot: Function xen_pt_bar_offset_to_index() may return a negative value (-1) which is used as an index to d->io_regions[] down the line. Let's pass index directly as an argument to xen_pt_bar_reg_parse(). Signed-off-by: Gonglei <arei.gonglei@huawei.com> Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
-rw-r--r--hw/xen/xen_pt_config_init.c6
1 files changed, 2 insertions, 4 deletions
diff --git a/hw/xen/xen_pt_config_init.c b/hw/xen/xen_pt_config_init.c
index de9a20f..710fe50 100644
--- a/hw/xen/xen_pt_config_init.c
+++ b/hw/xen/xen_pt_config_init.c
@@ -360,15 +360,13 @@ static uint64_t xen_pt_get_bar_size(PCIIORegion *r)
}
static XenPTBarFlag xen_pt_bar_reg_parse(XenPCIPassthroughState *s,
- XenPTRegInfo *reg)
+ int index)
{
PCIDevice *d = &s->dev;
XenPTRegion *region = NULL;
PCIIORegion *r;
- int index = 0;
/* check 64bit BAR */
- index = xen_pt_bar_offset_to_index(reg->offset);
if ((0 < index) && (index < PCI_ROM_SLOT)) {
int type = s->real_device.io_regions[index - 1].type;
@@ -422,7 +420,7 @@ static int xen_pt_bar_reg_init(XenPCIPassthroughState *s, XenPTRegInfo *reg,
}
/* set BAR flag */
- s->bases[index].bar_flag = xen_pt_bar_reg_parse(s, reg);
+ s->bases[index].bar_flag = xen_pt_bar_reg_parse(s, index);
if (s->bases[index].bar_flag == XEN_PT_BAR_FLAG_UNUSED) {
reg_field = XEN_PT_INVALID_REG;
}