hyperv/syndbg: check length returned by cpu_physical_memory_map()

author Paolo Bonzini <pbonzini@redhat.com>

Mon, 9 Mar 2026 12:20:35 +0000 (13:20 +0100)

committer Paolo Bonzini <pbonzini@redhat.com>

Wed, 11 Mar 2026 16:01:30 +0000 (17:01 +0100)
author Paolo Bonzini <pbonzini@redhat.com>
Mon, 9 Mar 2026 12:20:35 +0000 (13:20 +0100)
committer Paolo Bonzini <pbonzini@redhat.com>
Wed, 11 Mar 2026 16:01:30 +0000 (17:01 +0100)
diff --git a/hw/hyperv/syndbg.c b/hw/hyperv/syndbg.c

index 1e177f9dd826dd2b75a8af791f9341a2ca4f7758..10171b19e8f850372ef2643ef3eaf106afa4bd13 100644 (file)
--- a/hw/hyperv/syndbg.c
+++ b/hw/hyperv/syndbg.c
@@ -194,7 +194,7 @@ static uint16_t handle_recv_msg(HvSynDbg *syndbg, uint64_t outgpa,
      uint16_t ret;
      g_assert(MSG_BUFSZ >= qemu_target_page_size());
      QEMU_UNINITIALIZED uint8_t data_buf[MSG_BUFSZ];
-    hwaddr out_len;
+    hwaddr out_len, out_requested_len;
      void *out_data;
      ssize_t recv_byte_count;
  
@@ -223,29 +223,28 @@ static uint16_t handle_recv_msg(HvSynDbg *syndbg, uint64_t outgpa,
      if (is_raw) {
          out_len += UDP_PKT_HEADER_SIZE;
      }
+    out_requested_len = out_len;
      out_data = cpu_physical_memory_map(outgpa, &out_len, 1);
-    if (!out_data) {
-        return HV_STATUS_INSUFFICIENT_MEMORY;
+    ret = HV_STATUS_INSUFFICIENT_MEMORY;
+    if (!out_data || out_len < out_requested_len) {
+        goto cleanup_out_data;
      }
  
      if (is_raw &&
-        !create_udp_pkt(syndbg, out_data,
-                        recv_byte_count + UDP_PKT_HEADER_SIZE,
+        !create_udp_pkt(syndbg, out_data, out_len,
                          data_buf, recv_byte_count)) {
-        ret = HV_STATUS_INSUFFICIENT_MEMORY;
          goto cleanup_out_data;
      } else if (!is_raw) {
-        memcpy(out_data, data_buf, recv_byte_count);
+        memcpy(out_data, data_buf, out_len);
      }
  
-    *retrieved_count = recv_byte_count;
-    if (is_raw) {
-        *retrieved_count += UDP_PKT_HEADER_SIZE;
-    }
+    *retrieved_count = out_len;
      ret = HV_STATUS_SUCCESS;
  
  cleanup_out_data:
-    cpu_physical_memory_unmap(out_data, out_len, 1, out_len);
+    if (out_data) {
+        cpu_physical_memory_unmap(out_data, out_len, 1, out_len);
+    }
      return ret;
  }
author	Paolo Bonzini <pbonzini@redhat.com>
	Mon, 9 Mar 2026 12:20:35 +0000 (13:20 +0100)
committer	Paolo Bonzini <pbonzini@redhat.com>
	Wed, 11 Mar 2026 16:01:30 +0000 (17:01 +0100)