Fix PCI config space overflow, by Herbert Xu.

git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@2238 c046a42c-6fe2-441c-8c8c-71466251a162
2006-12-10 23:20:45 +00:00 · 2006-12-10 23:20:45 +00:00 · a2d4e44b48
parent 3bcb80f1af
commit a2d4e44b48
1 changed files with 16 additions and 8 deletions
--- a/hw/pci.c
+++ b/hw/pci.c
@ -242,16 +242,23 @@ uint32_t pci_default_read_config(PCIDevice *d,
                                 uint32_t address, int len)
 {
    uint32_t val;
+
    switch(len) {
-    case 1:
-        val = d->config[address];
-        break;
-    case 2:
-        val = le16_to_cpu(*(uint16_t *)(d->config + address));
-        break;
    default:
    case 4:
-        val = le32_to_cpu(*(uint32_t *)(d->config + address));
+	if (address <= 0xfc) {
+	    val = le32_to_cpu(*(uint32_t *)(d->config + address));
+	    break;
+	}
+	/* fall through */
+    case 2:
+        if (address <= 0xfe) {
+	    val = le16_to_cpu(*(uint16_t *)(d->config + address));
+	    break;
+	}
+	/* fall through */
+    case 1:
+        val = d->config[address];
        break;
    }
    return val;
@ -341,7 +348,8 @@ void pci_default_write_config(PCIDevice *d,
        if (can_write) {
            d->config[addr] = val;
        }
-        addr++;
+        if (++addr > 0xff)
+        	break;
        val >>= 8;
    }