@@ -125,16 +125,16 @@ static void do_flush_queued_data(VirtIOSerialPort *port, VirtQueue *vq,
return;
}
while (virtqueue_pop(vq, &elem)) {
- uint8_t *buf;
- size_t ret, buf_size;
+ unsigned int i;
- if (!discard) {
- buf_size = iov_size(elem.out_sg, elem.out_num);
- buf = qemu_malloc(buf_size);
- ret = iov_to_buf(elem.out_sg, elem.out_num, buf, 0, buf_size);
+ for (i = 0; !discard && i < elem.out_num; i++) {
+ size_t buf_size;
- port->info->have_data(port, buf, ret);
- qemu_free(buf);
+ buf_size = elem.out_sg[i].iov_len;
+
+ port->info->have_data(port,
+ elem.out_sg[i].iov_base,
+ buf_size);
}
virtqueue_push(vq, &elem, 0);
}
When the guest writes something to a host, we copied over the entire buffer first into the host and then processed it. Do away with that, it could result in a malicious guest causing a DoS on the host. Reported-by: Paul Brook <paul@codesourcery.com> Signed-off-by: Amit Shah <amit.shah@redhat.com> --- hw/virtio-serial-bus.c | 16 ++++++++-------- 1 files changed, 8 insertions(+), 8 deletions(-)