[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [PATCH 4/6] fw_cfg: exit with error when dupe fw_cfg file n

From: Gabriel L. Somlo
Subject: [Qemu-devel] [PATCH 4/6] fw_cfg: exit with error when dupe fw_cfg file name inserted
Date: Mon, 16 Mar 2015 10:15:03 -0400

Currently, when fw_cfg_add_file_callback() is invoked with a
duplicate file name, it gets to insert the data blob at the
next available selector, but exit (signalling the error via
a call to the trace_fw_cfg_add_file_dupe() function) before
incrementing the next available selector as soon as it finds
the requested file name to be a dupe.

As a consequence, the immediately following invocation of
fw_cfg_add_file_callback() will cause the data blob pointer
at the current selector to be overwritten, and therefore
leak the old data blob inserted during the previous failed
call (or, instead, trigger the newly added assertion which
guards against leaking data blobs by overwriting their

This patch modifies fw_cfg_add_file_callback() to exit qemu
with an error whenever a duplicate fw_cfg file name insertion
is requested.

Signed-off-by: Gabriel Somlo <address@hidden>
 hw/nvram/fw_cfg.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c
index 5501a97..86f120e 100644
--- a/hw/nvram/fw_cfg.c
+++ b/hw/nvram/fw_cfg.c
@@ -481,17 +481,18 @@ void fw_cfg_add_file_callback(FWCfgState *s,  const char 
     index = be32_to_cpu(s->files->count);
     assert(index < FW_CFG_FILE_SLOTS);
+    for (i = 0; i < index; i++) {
+        if (strcmp(filename, s->files->f[i].name) == 0) {
+            error_report("duplicate fw_cfg file name: %s", filename);
+            exit(1);
+        }
+    }
     fw_cfg_add_bytes_read_callback(s, FW_CFG_FILE_FIRST + index,
                                    callback, callback_opaque, data, len);
     pstrcpy(s->files->f[index].name, sizeof(s->files->f[index].name),
-    for (i = 0; i < index; i++) {
-        if (strcmp(s->files->f[index].name, s->files->f[i].name) == 0) {
-            trace_fw_cfg_add_file_dupe(s, s->files->f[index].name);
-            return;
-        }
-    }
     s->files->f[index].size   = cpu_to_be32(len);
     s->files->f[index].select = cpu_to_be16(FW_CFG_FILE_FIRST + index);

reply via email to

[Prev in Thread] Current Thread [Next in Thread]