passthrough: fix buffer overflow of vslots

Assuming we assign n devices, strlen(direct_pci) can be 13n and the
length of the old 'vslots' is 13n/3 which is smaller than 5n+1 (1
slot_str takes 5 bytes).  So we have to malloc a bigger buffer for
vslots.

Signed-off-by: Dexuan Cui <dexuan.cui@intel.com>

diff --git a/hw/pass-through.c b/hw/pass-through.c
index 8a63dceed0daf48fabd322056e9b8da7245ce4a6..b82fdf999a5f51359fa816f6c06e2839711b1138 100644 (file)
--- a/hw/pass-through.c
+++ b/hw/pass-through.c
@@ -3931,10 +3931,22 @@ int pt_init(PCIBus *e_bus, const char *direct_pci)
     if ( !(direct_pci_head = direct_pci_p = strdup(direct_pci)) )
         return 0;
 
-    /* the virtual pci slots of all pass-through devs
-     * with hex format: xx;xx...;
+    /* The minimal format of direct_pci: xxxx:xx:xx.x-xxxx:xx:xx.x-... It may
+     * be even longer considering the per-device opts(see the parsing for
+     * '/local/domain/0/backend/pci/XX/YY/opts-ZZ' in
+     * xenstore_parse_domain_config().
+     *
+     * The format of vslots(virtual pci slots of all pass-through devs):
+     * 0xXX;0xXX;... (see the code below).
+     *
+     * We're sure the length of direct_pci is bigger than that of vslots.
      */
-    vslots = qemu_mallocz ( strlen(direct_pci) / 3 );
+    vslots = qemu_mallocz(strlen(direct_pci) + 1);
+    if ( vslots == NULL )
+    {
+        status = -1;
+        goto err;
+    }
 
     /* Assign given devices to guest */
     while ( next_bdf(&direct_pci_p, &seg, &b, &d, &f, &opt) )