aboutsummaryrefslogtreecommitdiff
path: root/hw/net
diff options
context:
space:
mode:
authorJason Wang <jasowang@redhat.com>2015-03-20 14:07:50 +0800
committerMichael S. Tsirkin <mst@redhat.com>2015-03-25 13:39:25 +0100
commit7e0e736ecdfeac6d3517513d3a702304e4f6cf59 (patch)
treea3afabb60e43593737ee49276d8019384da7b5aa /hw/net
parent7976a6d23151c780474bdac106f3cf1343a2d6ca (diff)
downloadqemu-7e0e736ecdfeac6d3517513d3a702304e4f6cf59.zip
qemu-7e0e736ecdfeac6d3517513d3a702304e4f6cf59.tar.gz
qemu-7e0e736ecdfeac6d3517513d3a702304e4f6cf59.tar.bz2
virtio-net: validate backend queue numbers against bus limitation
We don't validate the backend queue numbers against bus limitation, this will easily crash qemu if it exceeds the limitation which will hit the abort() in virtio_del_queue(). An example is trying to starting a virtio-net device with 256 queues. E.g: ./qemu-system-x86_64 -netdev tap,id=hn0,queues=256 -device virtio-net-pci,netdev=hn0 Fixing this by doing the validation and fail early. Cc: Michael S. Tsirkin <mst@redhat.com> Cc: qemu-stable <qemu-stable@nongnu.org> Signed-off-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Diffstat (limited to 'hw/net')
-rw-r--r--hw/net/virtio-net.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index 27adcc5..59f76bc 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -1588,6 +1588,13 @@ static void virtio_net_device_realize(DeviceState *dev, Error **errp)
virtio_init(vdev, "virtio-net", VIRTIO_ID_NET, n->config_size);
n->max_queues = MAX(n->nic_conf.peers.queues, 1);
+ if (n->max_queues * 2 + 1 > VIRTIO_PCI_QUEUE_MAX) {
+ error_setg(errp, "Invalid number of queues (= %" PRIu32 "), "
+ "must be a postive integer less than %d.",
+ n->max_queues, (VIRTIO_PCI_QUEUE_MAX - 1) / 2);
+ virtio_cleanup(vdev);
+ return;
+ }
n->vqs = g_malloc0(sizeof(VirtIONetQueue) * n->max_queues);
n->vqs[0].rx_vq = virtio_add_queue(vdev, 256, virtio_net_handle_rx);
n->curr_queues = 1;