D46882.diff
No OneTemporary
Actions

Size

796 B

Referenced Files

None

Subscribers

None

D46882.diff
View Options

	diff --git a/usr.sbin/bhyve/pci_virtio_console.c b/usr.sbin/bhyve/pci_virtio_console.c
	--- a/usr.sbin/bhyve/pci_virtio_console.c
	+++ b/usr.sbin/bhyve/pci_virtio_console.c
	@@ -572,6 +572,9 @@
	struct iovec iov;
	int n;

	+ if (len > SIZE_T_MAX - sizeof(struct pci_vtcon_control))
	+ return;
	+
	vq = pci_vtcon_port_to_vq(&sc->vsc_control_port, true);

	if (!vq_has_descs(vq))
	@@ -580,11 +583,11 @@
	n = vq_getchain(vq, &iov, 1, &req);
	assert(n == 1);

	- if (iov.iov_len < sizeof(struct pci_vtcon_control))
	+ if (iov.iov_len < sizeof(struct pci_vtcon_control) + len)
	goto out;

	memcpy(iov.iov_base, ctrl, sizeof(struct pci_vtcon_control));
	- if (payload != NULL && len > 0)
	+ if (len > 0)
	memcpy((uint8_t *)iov.iov_base +
	sizeof(struct pci_vtcon_control), payload, len);