From patchwork Sun Oct 11 13:48:41 2009
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Adam Lackorzynski <adam@os.inf.tu-dresden.de>
X-Patchwork-Id: 35700
Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.gnu.org (lists.gnu.org [199.232.76.165])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by ozlabs.org (Postfix) with ESMTPS id B5BA2B7082
	for <incoming@patchwork.ozlabs.org>;
	Mon, 12 Oct 2009 00:51:01 +1100 (EST)
Received: from localhost ([127.0.0.1]:47785 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1Mwyp9-0004tr-6d
	for incoming@patchwork.ozlabs.org; Sun, 11 Oct 2009 09:50:59 -0400
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1MwynS-0004PS-GK
	for qemu-devel@nongnu.org; Sun, 11 Oct 2009 09:49:14 -0400
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1MwynO-0004NS-R3
	for qemu-devel@nongnu.org; Sun, 11 Oct 2009 09:49:14 -0400
Received: from [199.232.76.173] (port=51939 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1MwynO-0004NA-Ic
	for qemu-devel@nongnu.org; Sun, 11 Oct 2009 09:49:10 -0400
Received: from os.inf.tu-dresden.de ([141.76.48.99]:43154)
	by monty-python.gnu.org with esmtps
	(TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60)
	(envelope-from <adam@os.inf.tu-dresden.de>) id 1MwynO-00062n-0v
	for qemu-devel@nongnu.org; Sun, 11 Oct 2009 09:49:10 -0400
Received: from erwin.inf.tu-dresden.de ([141.76.48.80]
	helo=localhost.localdomain)
	by os.inf.tu-dresden.de with esmtp (Exim 4.69)
	id 1MwynG-0005Hr-Cm; Sun, 11 Oct 2009 15:49:02 +0200
From: adam@os.inf.tu-dresden.de
To: qemu-devel@nongnu.org
Date: Sun, 11 Oct 2009 15:48:41 +0200
Message-Id: <1255268921-5403-2-git-send-email-adam@os.inf.tu-dresden.de>
X-Mailer: git-send-email 1.6.4.3
In-Reply-To: <1255268921-5403-1-git-send-email-adam@os.inf.tu-dresden.de>
References: <1255268921-5403-1-git-send-email-adam@os.inf.tu-dresden.de>
X-detected-operating-system: by monty-python.gnu.org: GNU/Linux 2.6 (newer,
	3)
Cc: 
Subject: [Qemu-devel] [PATCH 2/2] multiboot: Limit number of multiboot
	modules
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

From: Adam Lackorzynski <adam@os.inf.tu-dresden.de>

Add size checks to avoid overwriting the multiboot structure
when too many modules are loaded.

Signed-off-by: Adam Lackorzynski <adam@os.inf.tu-dresden.de>
Acked-by: Kevin Wolf <kwolf@redhat.com>
---
 hw/pc.c |    9 ++++++++-
 1 files changed, 8 insertions(+), 1 deletions(-)

diff --git a/hw/pc.c b/hw/pc.c
index e34ad9c..b190d22 100644
--- a/hw/pc.c
+++ b/hw/pc.c
@@ -702,6 +702,10 @@ static int load_multiboot(void *fw_cfg,
         int mb_mod_count = 0;
 
         do {
+            if (mb_mod_info + 16 > mb_mod_cmdline) {
+                printf("WARNING: Too many modules loaded, aborting.\n");
+                break;
+            }
             next_initrd = strchr(initrd_filename, ',');
             if (next_initrd)
                 *next_initrd = '\0';
@@ -712,8 +716,11 @@ static int load_multiboot(void *fw_cfg,
                     initrd_filename);
             stl_p(bootinfo + mb_mod_info + 8, mb_bootinfo + mb_mod_cmdline); /* string */
             mb_mod_cmdline += strlen(initrd_filename) + 1;
-            if (mb_mod_cmdline > sizeof(bootinfo))
+            if (mb_mod_cmdline > sizeof(bootinfo)) {
                 mb_mod_cmdline = sizeof(bootinfo);
+                printf("WARNING: Too many module cmdlines loaded, aborting.\n");
+                break;
+            }
             if ((next_space = strchr(initrd_filename, ' ')))
                 *next_space = '\0';
 #ifdef DEBUG_MULTIBOOT