aboutsummaryrefslogtreecommitdiff
path: root/hw/misc/ivshmem.c
diff options
context:
space:
mode:
authorMarkus Armbruster <armbru@redhat.com>2016-03-15 19:34:45 +0100
committerMarkus Armbruster <armbru@redhat.com>2016-03-21 21:29:02 +0100
commit08183c20b8b0782e4c30156eb7202d1117ca22f5 (patch)
treefb23f00307e6f2ef0c1269ebe0a7b4b297676e12 /hw/misc/ivshmem.c
parentee276391a38c784fd1a3ce33eab0481348d518d1 (diff)
downloadqemu-08183c20b8b0782e4c30156eb7202d1117ca22f5.zip
qemu-08183c20b8b0782e4c30156eb7202d1117ca22f5.tar.gz
qemu-08183c20b8b0782e4c30156eb7202d1117ca22f5.tar.bz2
ivshmem: Tighten check of property "size"
If size_t is narrower than 64 bits, passing uint64_t ivshmem_size to mmap() truncates. Reject such sizes. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <1458066895-20632-31-git-send-email-armbru@redhat.com>
Diffstat (limited to 'hw/misc/ivshmem.c')
-rw-r--r--hw/misc/ivshmem.c7
1 files changed, 4 insertions, 3 deletions
diff --git a/hw/misc/ivshmem.c b/hw/misc/ivshmem.c
index 7b9e769..66c713e 100644
--- a/hw/misc/ivshmem.c
+++ b/hw/misc/ivshmem.c
@@ -87,7 +87,7 @@ typedef struct IVShmemState {
*/
MemoryRegion bar;
MemoryRegion ivshmem;
- uint64_t ivshmem_size; /* size of shared memory region */
+ size_t ivshmem_size; /* size of shared memory region */
uint32_t ivshmem_64bit;
Peer *peers;
@@ -361,7 +361,7 @@ static int check_shm_size(IVShmemState *s, int fd, Error **errp)
if (s->ivshmem_size > buf.st_size) {
error_setg(errp, "Requested memory size greater"
- " than shared object size (%" PRIu64 " > %" PRIu64")",
+ " than shared object size (%zu > %" PRIu64")",
s->ivshmem_size, (uint64_t)buf.st_size);
return -1;
} else {
@@ -865,7 +865,8 @@ static void pci_ivshmem_realize(PCIDevice *dev, Error **errp)
} else {
char *end;
int64_t size = qemu_strtosz(s->sizearg, &end);
- if (size < 0 || *end != '\0' || !is_power_of_2(size)) {
+ if (size < 0 || (size_t)size != size || *end != '\0'
+ || !is_power_of_2(size)) {
error_setg(errp, "Invalid size %s", s->sizearg);
return;
}