xhci: add sanity checks to xhci_lookup_uport

Also catch xhci_lookup_uport failures in post_load. https://bugzilla.redhat.com/show_bug.cgi?id=1074219 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
qemu · Nov 11, 2014 · f2ad97f · f2ad97f
1 parent 1e03e40
commit f2ad97f
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
@@ -2262,6 +2262,9 @@ static USBPort *xhci_lookup_uport(XHCIState *xhci, uint32_t *slot_ctx)
     int i, pos, port;
 
     port = (slot_ctx[1]>>16) & 0xFF;
+    if (port < 1 || port > xhci->numports) {
+        return NULL;
+    }
     port = xhci->ports[port-1].uport->index+1;
     pos = snprintf(path, sizeof(path), "%d", port);
     for (i = 0; i < 5; i++) {
@@ -3706,6 +3709,12 @@ static int usb_xhci_post_load(void *opaque, int version_id)
             xhci_mask64(ldq_le_pci_dma(pci_dev, dcbaap + 8 * slotid));
         xhci_dma_read_u32s(xhci, slot->ctx, slot_ctx, sizeof(slot_ctx));
         slot->uport = xhci_lookup_uport(xhci, slot_ctx);
+        if (!slot->uport) {
+            /* should not happen, but may trigger on guest bugs */
+            slot->enabled = 0;
+            slot->addressed = 0;
+            continue;
+        }
         assert(slot->uport && slot->uport->dev);
 
         for (epid = 1; epid <= 31; epid++) {