hw/timer/arm_timer: Avoid array overrun for bad addresses

The integrator's timer read/write functions log an error for bad addresses in guest accesses, but were falling through and using an out of bounds array index rather than returning early. Fix this. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Andreas Färber <afaerber@suse.de> Message-id: 1392647854-8067-4-git-send-email-peter.maydell@linaro.org Cc: qemu-stable@nongnu.org (cherry picked from commit cba933b) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
qemu · Feb 27, 2014 · 5444df1 · 5444df1
1 parent e498311
commit 5444df1
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/hw/timer/arm_timer.c b/hw/timer/arm_timer.c
@@ -320,6 +320,7 @@ static uint64_t icp_pit_read(void *opaque, hwaddr offset,
     n = offset >> 8;
     if (n > 2) {
         qemu_log_mask(LOG_GUEST_ERROR, "%s: Bad timer %d\n", __func__, n);
+        return 0;
     }
 
     return arm_timer_read(s->timer[n], offset & 0xff);
@@ -334,6 +335,7 @@ static void icp_pit_write(void *opaque, hwaddr offset,
     n = offset >> 8;
     if (n > 2) {
         qemu_log_mask(LOG_GUEST_ERROR, "%s: Bad timer %d\n", __func__, n);
+        return;
     }
 
     arm_timer_write(s->timer[n], offset & 0xff, value);