Check that the common config is at least as large as the struct it is
expected to contain. Only then is it safe to cast the pointer and be
safe from out-of-bounds accesses.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
u16 subvendor;
u8 revision;
int common, notify, device;
+ u32 common_length;
int offset;
/* We only own devices >= 0x1040 and <= 0x107f: leave the rest. */
return -ENODEV;
}
+ offset = common + offsetof(struct virtio_pci_cap, length);
+ dm_pci_read_config32(udev, offset, &common_length);
+ if (common_length < sizeof(struct virtio_pci_common_cfg)) {
+ printf("(%s): virtio common config too small\n", udev->name);
+ return -EINVAL;
+ }
+
/* If common is there, notify should be too */
notify = virtio_pci_find_capability(udev, VIRTIO_PCI_CAP_NOTIFY_CFG);
if (!notify) {