From: Peter Maydell <peter.maydell@linaro.org>
Date: Wed, 26 Feb 2014 17:19:58 +0000 (+0000)
Subject: hw/timer/arm_timer: Avoid array overrun for bad addresses
X-Git-Tag: v1.7.1~5
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5444df15819cc1fa5a95876967d726b80f594e31;p=thirdparty%2Fqemu.git

hw/timer/arm_timer: Avoid array overrun for bad addresses

The integrator's timer read/write functions log an error for
bad addresses in guest accesses, but were falling through and
using an out of bounds array index rather than returning early.
Fix this.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Message-id: 1392647854-8067-4-git-send-email-peter.maydell@linaro.org
Cc: qemu-stable@nongnu.org
(cherry picked from commit cba933b2257ef0ad241756a0ff86bc0acda685ca)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---

diff --git a/hw/timer/arm_timer.c b/hw/timer/arm_timer.c
index a47afde23af..fb0a45c889e 100644
--- a/hw/timer/arm_timer.c
+++ b/hw/timer/arm_timer.c
@@ -320,6 +320,7 @@ static uint64_t icp_pit_read(void *opaque, hwaddr offset,
     n = offset >> 8;
     if (n > 2) {
         qemu_log_mask(LOG_GUEST_ERROR, "%s: Bad timer %d\n", __func__, n);
+        return 0;
     }
 
     return arm_timer_read(s->timer[n], offset & 0xff);
@@ -334,6 +335,7 @@ static void icp_pit_write(void *opaque, hwaddr offset,
     n = offset >> 8;
     if (n > 2) {
         qemu_log_mask(LOG_GUEST_ERROR, "%s: Bad timer %d\n", __func__, n);
+        return;
     }
 
     arm_timer_write(s->timer[n], offset & 0xff, value);