diff options
| author | Peter Maydell <peter.maydell@linaro.org> | 2023-08-11 18:47:51 +0100 |
|---|---|---|
| committer | Klaus Jensen <k.jensen@samsung.com> | 2023-09-12 16:17:05 +0200 |
| commit | b3c8246750b7077add335559341268f2956f6470 (patch) | |
| tree | aca3f1feb22c308363c470f23646b4504570e9c3 /hw | |
| parent | b02c2a85a6c8e5ecc1bfca1ef794b5897c9ebad3 (diff) | |
| download | qemu-b3c8246750b7077add335559341268f2956f6470.zip qemu-b3c8246750b7077add335559341268f2956f6470.tar.gz qemu-b3c8246750b7077add335559341268f2956f6470.tar.bz2 | |
hw/nvme: Avoid dynamic stack allocation
Instead of using a variable-length array in nvme_map_prp(),
allocate on the stack with a g_autofree pointer.
The codebase has very few VLAs, and if we can get rid of them all we
can make the compiler error on new additions. This is a defensive
measure against security bugs where an on-stack dynamic allocation
isn't correctly size-checked (e.g. CVE-2021-3527).
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Diffstat (limited to 'hw')
| -rw-r--r-- | hw/nvme/ctrl.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c index d99a6f5..90687b1 100644 --- a/hw/nvme/ctrl.c +++ b/hw/nvme/ctrl.c @@ -894,7 +894,7 @@ static uint16_t nvme_map_prp(NvmeCtrl *n, NvmeSg *sg, uint64_t prp1, len -= trans_len; if (len) { if (len > n->page_size) { - uint64_t prp_list[n->max_prp_ents]; + g_autofree uint64_t *prp_list = g_new(uint64_t, n->max_prp_ents); uint32_t nents, prp_trans; int i = 0; |