Fix incorrect use of sizeof() rather than ARRAY_SIZE() to guard
accesses into the mb_clock[] array, which was allowing a malicious
guest to overwrite the end of the array.
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
---
hw/misc/arm_sysctl.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/misc/arm_sysctl.c b/hw/misc/arm_sysctl.c
index 0fc26d2..3fad6f8 100644
--- a/hw/misc/arm_sysctl.c
+++ b/hw/misc/arm_sysctl.c
@@ -276,7 +276,7 @@ static bool vexpress_cfgctrl_read(arm_sysctl_state *s,
unsigned int dcc,
}
break;
case SYS_CFG_OSC:
- if (site == SYS_CFG_SITE_MB && device < sizeof(s->mb_clock)) {
+ if (site == SYS_CFG_SITE_MB && device < ARRAY_SIZE(s->mb_clock)) {
/* motherboard clock */
*val = s->mb_clock[device];
return true;
@@ -324,7 +324,7 @@ static bool vexpress_cfgctrl_write(arm_sysctl_state *s,
unsigned int dcc,
switch (function) {
case SYS_CFG_OSC:
- if (site == SYS_CFG_SITE_MB && device < sizeof(s->mb_clock)) {
+ if (site == SYS_CFG_SITE_MB && device < ARRAY_SIZE(s->mb_clock)) {
/* motherboard clock */
s->mb_clock[device] = val;
return true;
--
1.8.5
