Message ID | 04c6fcdf939e7984ca9d92f41e3a4b1a6136a25b.1348571185.git.mst@redhat.com |
---|---|
State | New |
Headers | show |
diff --git a/hw/virtio.c b/hw/virtio.c index 209c763..b5764bb 100644 --- a/hw/virtio.c +++ b/hw/virtio.c @@ -241,7 +241,7 @@ void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, elem->in_sg[i].iov_len, 1, size); - offset += elem->in_sg[i].iov_len; + offset += size; } for (i = 0; i < elem->out_num; i++)
offset of accessed buffer is calculated using iov_length, so it can exceed accessed len. If that happens math in len - offset wraps around, and size becomes wrong. As real value is 0, so this is harmless but unnecessary. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> --- hw/virtio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)