Re: [RFC] Fix rocker device null pointer crash. qemu config r->fp_ports with "-device rocker, len-ports=10" when guest config port larget then r->fp_ports(10) r->fp_port[port] is null-pointer, qemu will crash null-pointer Reported-by: chenzhe <address@hidden>

[Peter Maydell]

On Wed, 21 Jul 2021 at 15:23, NAME <sohu0106@126.com> wrote:
>
> From: sohu0106 <sohu0106@126.com>

Hi; you seem to have a misformatted commit message here --
everything has ended up in the Subject line. The first
line of the commit should be a short summary, usually
preceded by an indication of the area of the code
being fixed, like "hw/net/rocker:". Then there should be
a blank line, followed by the more detailed description
of the change. You can look at the git commit logs for
existing commits to get the idea.

> Signed-off-by: sohu0106 <sohu0106@126.com>

We request that Signed-off-by: lines are your full real
name, not a pseudonym or email address; this is because you
are stating with this line that it's legally OK for this
patch to go into QEMU.

You might like to read
https://wiki.qemu.org/Contribute/SubmitAPatch
if you haven't found it already.

> diff --git a/hw/net/rocker/rocker_fp.c b/hw/net/rocker/rocker_fp.c
> index cbeed65bd5..45b5020106 100644
> --- a/hw/net/rocker/rocker_fp.c
> +++ b/hw/net/rocker/rocker_fp.c
> @@ -108,9 +108,10 @@ int fp_port_set_settings(FpPort *port, uint32_t speed,
>      return ROCKER_OK;
>  }
>
> -bool fp_port_from_pport(uint32_t pport, uint32_t *port)
> +bool fp_port_from_pport(Rocker *r, uint32_t pport, uint32_t *port)
>  {
> -    if (pport < 1 || pport > ROCKER_FP_PORTS_MAX) {
> +    if (pport < 1 || pport > ROCKER_FP_PORTS_MAX ||
> +        pport >= rocker_fp_ports(r)) {
>          return false;

You don't need to keep the check against ROCKER_FP_PORTS_MAX,
because the realize method will ensure that r->fp_ports is
not larger than ROCKER_FP_PORTS_MAX, and so the single check
against "pport >= rocker_fp_ports(r)" covers that case.

thanks
-- PMM