From bf854d65a5db2380ef2f0e8014f79a405c523b94 Mon Sep 17 00:00:00 2001
From: Adam Lackorzynski <adam@os.inf.tu-dresden.de>
Date: Sun, 11 Oct 2009 15:48:41 +0200
Subject: [PATCH] multiboot: Limit number of multiboot modules

Add size checks to avoid overwriting the multiboot structure
when too many modules are loaded.

Patchworks-ID: 35700
Signed-off-by: Adam Lackorzynski <adam@os.inf.tu-dresden.de>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
---
 hw/pc.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/hw/pc.c b/hw/pc.c
index 47afaa5f6e..408d6d622f 100644
--- a/hw/pc.c
+++ b/hw/pc.c
@@ -702,6 +702,10 @@ static int load_multiboot(void *fw_cfg,
         int mb_mod_count = 0;
 
         do {
+            if (mb_mod_info + 16 > mb_mod_cmdline) {
+                printf("WARNING: Too many modules loaded, aborting.\n");
+                break;
+            }
             next_initrd = strchr(initrd_filename, ',');
             if (next_initrd)
                 *next_initrd = '\0';
@@ -712,8 +716,11 @@ static int load_multiboot(void *fw_cfg,
                     initrd_filename);
             stl_p(bootinfo + mb_mod_info + 8, mb_bootinfo + mb_mod_cmdline); /* string */
             mb_mod_cmdline += strlen(initrd_filename) + 1;
-            if (mb_mod_cmdline > sizeof(bootinfo))
+            if (mb_mod_cmdline > sizeof(bootinfo)) {
                 mb_mod_cmdline = sizeof(bootinfo);
+                printf("WARNING: Too many module cmdlines loaded, aborting.\n");
+                break;
+            }
             if ((next_space = strchr(initrd_filename, ' ')))
                 *next_space = '\0';
 #ifdef DEBUG_MULTIBOOT
-- 
2.30.2