From patchwork Thu May 27 05:44:42 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Isaku Yamahata <yamahata@valinux.co.jp>
X-Patchwork-Id: 53683
Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.gnu.org (lists.gnu.org [199.232.76.165])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by ozlabs.org (Postfix) with ESMTPS id 9D513B7D17
	for <incoming@patchwork.ozlabs.org>;
	Thu, 27 May 2010 15:59:32 +1000 (EST)
Received: from localhost ([127.0.0.1]:54888 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1OHW7t-0005Xl-Bl
	for incoming@patchwork.ozlabs.org; Thu, 27 May 2010 01:59:29 -0400
Received: from [140.186.70.92] (port=38408 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1OHW3D-0003LI-RP
	for qemu-devel@nongnu.org; Thu, 27 May 2010 01:54:41 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69)
	(envelope-from <yamahata@valinux.co.jp>) id 1OHVwr-0004LE-Fb
	for qemu-devel@nongnu.org; Thu, 27 May 2010 01:48:06 -0400
Received: from mail.valinux.co.jp ([210.128.90.3]:50437)
	by eggs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <yamahata@valinux.co.jp>) id 1OHVwr-0004L4-6W
	for qemu-devel@nongnu.org; Thu, 27 May 2010 01:48:05 -0400
Received: from ps.local.valinux.co.jp (vagw.valinux.co.jp [210.128.90.14])
	by mail.valinux.co.jp (Postfix) with SMTP id 0AF311867D;
	Thu, 27 May 2010 14:48:04 +0900 (JST)
Received: (nullmailer pid 13288 invoked by uid 1000);
	Thu, 27 May 2010 05:44:42 -0000
Date: Thu, 27 May 2010 14:44:42 +0900
From: Isaku Yamahata <yamahata@valinux.co.jp>
To: qemu-devel@nongnu.org
Message-ID: <20100527054442.GI31807@valinux.co.jp>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.19 (2009-01-05)
X-Virus-Scanned: clamav-milter 0.95.2 at va-mail.local.valinux.co.jp
X-Virus-Status: Clean
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3)
Subject: [Qemu-devel] [PATCH] pci: fix pci_default_read_config().
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

address and config_size are both unsigned.
So check which is bigger before minus operation.
Otherwise the result of minus can be unexpected
big value.

Signed-off-by: Isaku Yamahata <yamahata@valinux.co.jp>
---
 hw/pci.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/hw/pci.c b/hw/pci.c
index 3362842..39a6206 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -988,9 +988,14 @@ uint32_t pci_default_read_config(PCIDevice *d,
                                  uint32_t address, int len)
 {
     uint32_t val = 0;
+    uint32_t config_size = pci_config_size(d);
     assert(len == 1 || len == 2 || len == 4);
-    len = MIN(len, pci_config_size(d) - address);
-    memcpy(&val, d->config + address, len);
+    if (address < config_size) {
+        len = MIN(len, config_size - address);
+        memcpy(&val, d->config + address, len);
+    } else {
+        val = ~0;
+    }
     return le32_to_cpu(val);
 }