From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from [140.186.70.92] (port=38408 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1OHW3D-0003LI-RP for qemu-devel@nongnu.org; Thu, 27 May 2010 01:54:41 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69) (envelope-from ) id 1OHVwr-0004LE-Fb for qemu-devel@nongnu.org; Thu, 27 May 2010 01:48:06 -0400 Received: from mail.valinux.co.jp ([210.128.90.3]:50437) by eggs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OHVwr-0004L4-6W for qemu-devel@nongnu.org; Thu, 27 May 2010 01:48:05 -0400 Date: Thu, 27 May 2010 14:44:42 +0900 From: Isaku Yamahata Message-ID: <20100527054442.GI31807@valinux.co.jp> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Subject: [Qemu-devel] [PATCH] pci: fix pci_default_read_config(). List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org address and config_size are both unsigned. So check which is bigger before minus operation. Otherwise the result of minus can be unexpected big value. Signed-off-by: Isaku Yamahata --- hw/pci.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) diff --git a/hw/pci.c b/hw/pci.c index 3362842..39a6206 100644 --- a/hw/pci.c +++ b/hw/pci.c @@ -988,9 +988,14 @@ uint32_t pci_default_read_config(PCIDevice *d, uint32_t address, int len) { uint32_t val = 0; + uint32_t config_size = pci_config_size(d); assert(len == 1 || len == 2 || len == 4); - len = MIN(len, pci_config_size(d) - address); - memcpy(&val, d->config + address, len); + if (address < config_size) { + len = MIN(len, config_size - address); + memcpy(&val, d->config + address, len); + } else { + val = ~0; + } return le32_to_cpu(val); } -- 1.6.6.1