Fix PCI config space overflow, by Herbert Xu.

git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@2238 c046a42c-6fe2-441c-8c8c-71466251a162

diff --git a/hw/pci.c b/hw/pci.c
index bc7c779e59cdad6ef67eb83290c913506883e494..d8fcd7be5597dd12eb7f04f6bab8fd2315620d81 100644 (file)
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -242,16 +242,23 @@ uint32_t pci_default_read_config(PCIDevice *d,
                                  uint32_t address, int len)
 {
     uint32_t val;
+
     switch(len) {
-    case 1:
-        val = d->config[address];
-        break;
-    case 2:
-        val = le16_to_cpu(*(uint16_t *)(d->config + address));
-        break;
     default:
     case 4:
-        val = le32_to_cpu(*(uint32_t *)(d->config + address));
+       if (address <= 0xfc) {
+           val = le32_to_cpu(*(uint32_t *)(d->config + address));
+           break;
+       }
+       /* fall through */
+    case 2:
+        if (address <= 0xfe) {
+           val = le16_to_cpu(*(uint16_t *)(d->config + address));
+           break;
+       }
+       /* fall through */
+    case 1:
+        val = d->config[address];
         break;
     }
     return val;
@@ -341,7 +348,8 @@ void pci_default_write_config(PCIDevice *d,
         if (can_write) {
             d->config[addr] = val;
         }
-        addr++;
+        if (++addr > 0xff)
+               break;
         val >>= 8;
     }