aboutsummaryrefslogtreecommitdiff
path: root/linux-user/openrisc
diff options
context:
space:
mode:
authorPeter Maydell <peter.maydell@linaro.org>2017-12-15 13:52:55 +0000
committerLaurent Vivier <laurent@vivier.eu>2018-01-23 14:20:52 +0100
commit7174970a94df10ee84143edc7c94a2472d654604 (patch)
tree9e423921e391d7b20927bb6001abfc8db1ae921b /linux-user/openrisc
parent06065c451f10c7ef62cfb575a87f323a70ae1c9e (diff)
downloadqemu-7174970a94df10ee84143edc7c94a2472d654604.zip
qemu-7174970a94df10ee84143edc7c94a2472d654604.tar.gz
qemu-7174970a94df10ee84143edc7c94a2472d654604.tar.bz2
linux-user: Fix length calculations in host_to_target_cmsg()
The handling of length calculations in host_to_target_cmsg() was rather confused: * when checking for whether the target cmsg header fit in the remaining buffer, we were using the host struct size, not the target size * we were setting tgt_len to "target payload + header length" but then using it as if it were the target payload length alone * in various message type cases we weren't handling the possibility that host or target buffers were truncated Fix these problems. The second one in particular is liable to result in us overrunning the guest provided buffer, since we will try to convert more data than is actually present. Fixes: https://bugs.launchpad.net/qemu/+bug/1701808 Reported-by: Bruno Haible <bruno@clisp.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-Id: <1513345976-22958-2-git-send-email-peter.maydell@linaro.org> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
Diffstat (limited to 'linux-user/openrisc')
0 files changed, 0 insertions, 0 deletions