From 65408dcf219ca1f17b62d5bb626a009a61a312c0 Mon Sep 17 00:00:00 2001 From: Keir Fraser Date: Wed, 19 Nov 2008 16:11:39 +0000 Subject: [PATCH] x86: secure ioapic_guest_write() against FREE_TO_ASSIGN irq values Signed-off-by: Jan Beulich --- xen/arch/x86/io_apic.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/io_apic.c b/xen/arch/x86/io_apic.c index aa21f18104..ff208e80af 100644 --- a/xen/arch/x86/io_apic.c +++ b/xen/arch/x86/io_apic.c @@ -2196,7 +2196,7 @@ int ioapic_guest_write(unsigned long physbase, unsigned int reg, u32 val) if ( new_rte.vector >= FIRST_DYNAMIC_VECTOR ) new_irq = vector_irq[new_rte.vector]; - if ( (old_irq != new_irq) && (old_irq != -1) && IO_APIC_IRQ(old_irq) ) + if ( (old_irq != new_irq) && (old_irq >= 0) && IO_APIC_IRQ(old_irq) ) { if ( irq_desc[IO_APIC_VECTOR(old_irq)].action ) { @@ -2208,7 +2208,7 @@ int ioapic_guest_write(unsigned long physbase, unsigned int reg, u32 val) remove_pin_at_irq(old_irq, apic, pin); } - if ( (new_irq != -1) && IO_APIC_IRQ(new_irq) ) + if ( (new_irq >= 0) && IO_APIC_IRQ(new_irq) ) { if ( irq_desc[IO_APIC_VECTOR(new_irq)].action ) { -- 2.30.2