Fix PCI config space overflow, by Herbert Xu.

author: ths <ths> 2006-12-10 23:20:45 +0000
committer: ths <ths> 2006-12-10 23:20:45 +0000
commit: 67476a138645071250e6dc0670d1e94dbec95268 (patch)
tree: 864202b050c924c2ae999c7247d9d8a249f070af /qemu/hw/pci.c
parent: 67b5bbf68be0be579ffc57b5f9e6c43f557cdee0 (diff)
1 files changed, 16 insertions, 8 deletions
diff --git a/qemu/hw/pci.c b/qemu/hw/pci.c
index bc7c779e..d8fcd7be 100644
--- a/qemu/hw/pci.c
+++ b/qemu/hw/pci.c
@@ -242,16 +242,23 @@ uint32_t pci_default_read_config(PCIDevice *d,
                                  uint32_t address, int len)
 {
     uint32_t val;
+
     switch(len) {
-    case 1:
-        val = d->config[address];
-        break;
-    case 2:
-        val = le16_to_cpu(*(uint16_t *)(d->config + address));
-        break;
     default:
     case 4:
-        val = le32_to_cpu(*(uint32_t *)(d->config + address));
+	if (address <= 0xfc) {
+	    val = le32_to_cpu(*(uint32_t *)(d->config + address));
+	    break;
+	}
+	/* fall through */
+    case 2:
+        if (address <= 0xfe) {
+	    val = le16_to_cpu(*(uint16_t *)(d->config + address));
+	    break;
+	}
+	/* fall through */
+    case 1:
+        val = d->config[address];
         break;
     }
     return val;
@@ -341,7 +348,8 @@ void pci_default_write_config(PCIDevice *d,
         if (can_write) {
             d->config[addr] = val;
         }
-        addr++;
+        if (++addr > 0xff)
+        	break;
         val >>= 8;
     }
author	ths <ths>	2006-12-10 23:20:45 +0000
committer	ths <ths>	2006-12-10 23:20:45 +0000
commit	67476a138645071250e6dc0670d1e94dbec95268 (patch)
tree	864202b050c924c2ae999c7247d9d8a249f070af /qemu/hw/pci.c
parent	67b5bbf68be0be579ffc57b5f9e6c43f557cdee0 (diff)