virtio-ccw: Queue sanity check for notify hypercall.

Verify that the virtio-ccw notify hypercall passed a reasonable
value for queue.

Cc: qemu-stable@nongnu.org
Reported-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
(cherry picked from commit b57ed9bf075e33cdd2f9eb545ff555301dd57221)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
index 65492118200ce91bf278e41cf03816a0c0899200..f90b5e44769a4ed5e3d9fc996361d7c3fd9c4611 100644 (file)
--- a/hw/s390x/s390-virtio-ccw.c
+++ b/hw/s390x/s390-virtio-ccw.c
@@ -31,6 +31,9 @@ static int virtio_ccw_hcall_notify(const uint64_t *args)
     if (!sch || !css_subch_visible(sch)) {
         return -EINVAL;
     }
+    if (queue >= VIRTIO_PCI_QUEUE_MAX) {
+        return -EINVAL;
+    }
     virtio_queue_notify(virtio_ccw_get_vdev(sch), queue);
     return 0;