From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40476) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZtFyb-0005LD-Cg for qemu-devel@nongnu.org; Mon, 02 Nov 2015 09:20:50 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZtFya-0006u1-Gp for qemu-devel@nongnu.org; Mon, 02 Nov 2015 09:20:49 -0500 Date: Mon, 2 Nov 2015 09:20:32 -0500 (EST) From: =?utf-8?Q?Marc-Andr=C3=A9?= Lureau Message-ID: <1638142759.891037.1446474032692.JavaMail.zimbra@redhat.com> In-Reply-To: <1446426828-18084-1-git-send-email-arei.gonglei@huawei.com> References: <1446426828-18084-1-git-send-email-arei.gonglei@huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [Qemu-devel] [PATCH] ivshmem-server: fix possible OVERRUN List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: arei gonglei Cc: qemu-trivial@nongnu.org, marcandre lureau , qemu-devel@nongnu.org Reviewed-by: Marc-Andr=C3=A9 Lureau ----- Original Message ----- > From: Gonglei >=20 > >>> CID 1337991: Memory - illegal accesses (OVERRUN) > >>> Decrementing "i". The value of "i" is now 65534. > 218 while (i--) { > 219 event_notifier_cleanup(&peer->vectors[i]); > 220 } >=20 > Signed-off-by: Gonglei > --- > contrib/ivshmem-server/ivshmem-server.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) >=20 > diff --git a/contrib/ivshmem-server/ivshmem-server.c > b/contrib/ivshmem-server/ivshmem-server.c > index 5e5239c..d9e26b0 100644 > --- a/contrib/ivshmem-server/ivshmem-server.c > +++ b/contrib/ivshmem-server/ivshmem-server.c > @@ -168,7 +168,9 @@ ivshmem_server_handle_new_conn(IvshmemServer *server) > } > if (i =3D=3D G_MAXUINT16) { > IVSHMEM_SERVER_DEBUG(server, "cannot allocate new client id\n"); > - goto fail; > + close(newfd); > + g_free(peer); > + return -1; > } > peer->id =3D server->cur_id++; > =20 > -- > 1.7.12.4 >=20 >=20 >=20