From 194f399c127e38760914e31df3799238250a1078 Mon Sep 17 00:00:00 2001 From: Fam Zheng Date: Tue, 4 Nov 2014 02:48:35 +0100 Subject: [PATCH 07/15] virtio-scsi: Fix num_queue input validation Message-id: <1415069315-6921-4-git-send-email-famz@redhat.com> Patchwork-id: 62058 O-Subject: [RHEL-7.1 qemu-kvm-rhev PATCH v2 3/3] virtio-scsi: Fix num_queue input validation Bugzilla: 1146826 RH-Acked-by: Michael S. Tsirkin RH-Acked-by: Markus Armbruster RH-Acked-by: Paolo Bonzini RH-Acked-by: Max Reitz We need to count the ctrlq and eventq, and also cleanup before returning. Besides, the format string should be unsigned. The number could never be less than zero. Signed-off-by: Fam Zheng Signed-off-by: Paolo Bonzini (cherry picked from commit 0ba1f53191221b541b938df86a39eeccfb87f996) Signed-off-by: Fam Zheng Signed-off-by: Miroslav Rezanina --- hw/scsi/virtio-scsi.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c index b9aba7e..bd880c8 100644 --- a/hw/scsi/virtio-scsi.c +++ b/hw/scsi/virtio-scsi.c @@ -699,10 +699,11 @@ void virtio_scsi_common_realize(DeviceState *dev, Error **errp, virtio_init(vdev, "virtio-scsi", VIRTIO_ID_SCSI, sizeof(VirtIOSCSIConfig)); - if (s->conf.num_queues <= 0 || s->conf.num_queues > VIRTIO_PCI_QUEUE_MAX) { - error_setg(errp, "Invalid number of queues (= %" PRId32 "), " + if (s->conf.num_queues == 0 || + s->conf.num_queues > VIRTIO_PCI_QUEUE_MAX - 2) { + error_setg(errp, "Invalid number of queues (= %" PRIu32 "), " "must be a positive integer less than %d.", - s->conf.num_queues, VIRTIO_PCI_QUEUE_MAX); + s->conf.num_queues, VIRTIO_PCI_QUEUE_MAX - 2); virtio_cleanup(vdev); return; } -- 1.8.3.1