Check if the guest really sent any items in the out_vq before using them. Similarly, check if there is a buffer to send data in before writing.
Signed-off-by: Amit Shah <amit.s...@redhat.com> --- hw/virtio-serial-bus.c | 19 +++++++++++++++++++ 1 files changed, 19 insertions(+), 0 deletions(-) diff --git a/hw/virtio-serial-bus.c b/hw/virtio-serial-bus.c index 3bbd915..3a3032f 100644 --- a/hw/virtio-serial-bus.c +++ b/hw/virtio-serial-bus.c @@ -102,6 +102,11 @@ static size_t write_to_port(VirtIOSerialPort *port, break; } + if (elem.in_num < 1) { + error_report("No buffer to send data in?"); + abort(); + } + len = iov_from_buf(elem.in_sg, elem.in_num, buf + offset, size - offset); offset += len; @@ -127,6 +132,11 @@ static void do_flush_queued_data(VirtIOSerialPort *port, VirtQueue *vq, while (virtqueue_pop(vq, &elem)) { unsigned int i; + if (elem.out_num < 1) { + error_report("No data sent by guest?"); + abort(); + } + if (discard) { goto next; } @@ -169,6 +179,11 @@ static size_t send_control_msg(VirtIOSerialPort *port, void *buf, size_t len) return 0; } + if (elem.in_num < 1) { + error_report("No buffer to send control data in?"); + abort(); + } + cpkt = (struct virtio_console_control *)buf; stl_p(&cpkt->id, port->id); memcpy(elem.in_sg[0].iov_base, buf, len); @@ -386,6 +401,10 @@ static void control_out(VirtIODevice *vdev, VirtQueue *vq) while (virtqueue_pop(vq, &elem)) { size_t cur_len, copied; + if (elem.out_num < 1) { + error_report("No data sent in control packet"); + abort(); + } cur_len = iov_size(elem.out_sg, elem.out_num); /* * Allocate a new buf only if we didn't have one previously or -- 1.7.3.2