diff options
author | Gonglei <arei.gonglei@huawei.com> | 2015-02-10 15:51:22 +0800 |
---|---|---|
committer | Michael Tokarev <mjt@tls.msk.ru> | 2015-03-10 08:15:33 +0300 |
commit | d4cd45028898a37afb45fb449954115b4960d4e9 (patch) | |
tree | 879eaec793d6dba41194bb07c5e99eb74f30f9e1 /hw/xen | |
parent | 277263e1b320d759a760ba6c5ea75ec268f929e5 (diff) | |
download | qemu-d4cd45028898a37afb45fb449954115b4960d4e9.zip qemu-d4cd45028898a37afb45fb449954115b4960d4e9.tar.gz qemu-d4cd45028898a37afb45fb449954115b4960d4e9.tar.bz2 |
xen-pt: fix Negative array index read
Coverity spot:
Function xen_pt_bar_offset_to_index() may return a negative
value (-1) which is used as an index to d->io_regions[] down
the line.
Let's pass index directly as an argument to
xen_pt_bar_reg_parse().
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Diffstat (limited to 'hw/xen')
-rw-r--r-- | hw/xen/xen_pt_config_init.c | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/hw/xen/xen_pt_config_init.c b/hw/xen/xen_pt_config_init.c index de9a20f..710fe50 100644 --- a/hw/xen/xen_pt_config_init.c +++ b/hw/xen/xen_pt_config_init.c @@ -360,15 +360,13 @@ static uint64_t xen_pt_get_bar_size(PCIIORegion *r) } static XenPTBarFlag xen_pt_bar_reg_parse(XenPCIPassthroughState *s, - XenPTRegInfo *reg) + int index) { PCIDevice *d = &s->dev; XenPTRegion *region = NULL; PCIIORegion *r; - int index = 0; /* check 64bit BAR */ - index = xen_pt_bar_offset_to_index(reg->offset); if ((0 < index) && (index < PCI_ROM_SLOT)) { int type = s->real_device.io_regions[index - 1].type; @@ -422,7 +420,7 @@ static int xen_pt_bar_reg_init(XenPCIPassthroughState *s, XenPTRegInfo *reg, } /* set BAR flag */ - s->bases[index].bar_flag = xen_pt_bar_reg_parse(s, reg); + s->bases[index].bar_flag = xen_pt_bar_reg_parse(s, index); if (s->bases[index].bar_flag == XEN_PT_BAR_FLAG_UNUSED) { reg_field = XEN_PT_INVALID_REG; } |