rtl8139: fix possible out of bound access
[qemu/ar7.git] / chardev / spice.c
blobe66e3ad568550ce7ecaadb6eaca6511202d0cdf5
1 #include "qemu/osdep.h"
2 #include "trace.h"
3 #include "ui/qemu-spice.h"
4 #include "chardev/char.h"
5 #include "qapi/error.h"
6 #include "qemu/error-report.h"
7 #include "qemu/option.h"
8 #include <spice.h>
9 #include <spice/protocol.h>
12 typedef struct SpiceChardev {
13 Chardev parent;
15 SpiceCharDeviceInstance sin;
16 bool active;
17 bool blocked;
18 const uint8_t *datapos;
19 int datalen;
20 QLIST_ENTRY(SpiceChardev) next;
21 } SpiceChardev;
23 #define TYPE_CHARDEV_SPICE "chardev-spice"
24 #define TYPE_CHARDEV_SPICEVMC "chardev-spicevmc"
25 #define TYPE_CHARDEV_SPICEPORT "chardev-spiceport"
27 #define SPICE_CHARDEV(obj) OBJECT_CHECK(SpiceChardev, (obj), TYPE_CHARDEV_SPICE)
29 typedef struct SpiceCharSource {
30 GSource source;
31 SpiceChardev *scd;
32 } SpiceCharSource;
34 static QLIST_HEAD(, SpiceChardev) spice_chars =
35 QLIST_HEAD_INITIALIZER(spice_chars);
37 static int vmc_write(SpiceCharDeviceInstance *sin, const uint8_t *buf, int len)
39 SpiceChardev *scd = container_of(sin, SpiceChardev, sin);
40 Chardev *chr = CHARDEV(scd);
41 ssize_t out = 0;
42 ssize_t last_out;
43 uint8_t* p = (uint8_t*)buf;
45 while (len > 0) {
46 int can_write = qemu_chr_be_can_write(chr);
47 last_out = MIN(len, can_write);
48 if (last_out <= 0) {
49 break;
51 qemu_chr_be_write(chr, p, last_out);
52 out += last_out;
53 len -= last_out;
54 p += last_out;
57 trace_spice_vmc_write(out, len + out);
58 return out;
61 static int vmc_read(SpiceCharDeviceInstance *sin, uint8_t *buf, int len)
63 SpiceChardev *scd = container_of(sin, SpiceChardev, sin);
64 int bytes = MIN(len, scd->datalen);
66 if (bytes > 0) {
67 memcpy(buf, scd->datapos, bytes);
68 scd->datapos += bytes;
69 scd->datalen -= bytes;
70 assert(scd->datalen >= 0);
72 if (scd->datalen == 0) {
73 scd->datapos = 0;
74 scd->blocked = false;
76 trace_spice_vmc_read(bytes, len);
77 return bytes;
80 #if SPICE_SERVER_VERSION >= 0x000c02
81 static void vmc_event(SpiceCharDeviceInstance *sin, uint8_t event)
83 SpiceChardev *scd = container_of(sin, SpiceChardev, sin);
84 Chardev *chr = CHARDEV(scd);
85 int chr_event;
87 switch (event) {
88 case SPICE_PORT_EVENT_BREAK:
89 chr_event = CHR_EVENT_BREAK;
90 break;
91 default:
92 return;
95 trace_spice_vmc_event(chr_event);
96 qemu_chr_be_event(chr, chr_event);
98 #endif
100 static void vmc_state(SpiceCharDeviceInstance *sin, int connected)
102 SpiceChardev *scd = container_of(sin, SpiceChardev, sin);
103 Chardev *chr = CHARDEV(scd);
105 if ((chr->be_open && connected) ||
106 (!chr->be_open && !connected)) {
107 return;
110 qemu_chr_be_event(chr,
111 connected ? CHR_EVENT_OPENED : CHR_EVENT_CLOSED);
114 static SpiceCharDeviceInterface vmc_interface = {
115 .base.type = SPICE_INTERFACE_CHAR_DEVICE,
116 .base.description = "spice virtual channel char device",
117 .base.major_version = SPICE_INTERFACE_CHAR_DEVICE_MAJOR,
118 .base.minor_version = SPICE_INTERFACE_CHAR_DEVICE_MINOR,
119 .state = vmc_state,
120 .write = vmc_write,
121 .read = vmc_read,
122 #if SPICE_SERVER_VERSION >= 0x000c02
123 .event = vmc_event,
124 #endif
125 #if SPICE_SERVER_VERSION >= 0x000c06
126 .flags = SPICE_CHAR_DEVICE_NOTIFY_WRITABLE,
127 #endif
131 static void vmc_register_interface(SpiceChardev *scd)
133 if (scd->active) {
134 return;
136 scd->sin.base.sif = &vmc_interface.base;
137 qemu_spice_add_interface(&scd->sin.base);
138 scd->active = true;
139 trace_spice_vmc_register_interface(scd);
142 static void vmc_unregister_interface(SpiceChardev *scd)
144 if (!scd->active) {
145 return;
147 spice_server_remove_interface(&scd->sin.base);
148 scd->active = false;
149 trace_spice_vmc_unregister_interface(scd);
152 static gboolean spice_char_source_prepare(GSource *source, gint *timeout)
154 SpiceCharSource *src = (SpiceCharSource *)source;
156 *timeout = -1;
158 return !src->scd->blocked;
161 static gboolean spice_char_source_check(GSource *source)
163 SpiceCharSource *src = (SpiceCharSource *)source;
165 return !src->scd->blocked;
168 static gboolean spice_char_source_dispatch(GSource *source,
169 GSourceFunc callback, gpointer user_data)
171 GIOFunc func = (GIOFunc)callback;
173 return func(NULL, G_IO_OUT, user_data);
176 static GSourceFuncs SpiceCharSourceFuncs = {
177 .prepare = spice_char_source_prepare,
178 .check = spice_char_source_check,
179 .dispatch = spice_char_source_dispatch,
182 static GSource *spice_chr_add_watch(Chardev *chr, GIOCondition cond)
184 SpiceChardev *scd = SPICE_CHARDEV(chr);
185 SpiceCharSource *src;
187 assert(cond & G_IO_OUT);
189 src = (SpiceCharSource *)g_source_new(&SpiceCharSourceFuncs,
190 sizeof(SpiceCharSource));
191 src->scd = scd;
193 return (GSource *)src;
196 static int spice_chr_write(Chardev *chr, const uint8_t *buf, int len)
198 SpiceChardev *s = SPICE_CHARDEV(chr);
199 int read_bytes;
201 assert(s->datalen == 0);
202 s->datapos = buf;
203 s->datalen = len;
204 spice_server_char_device_wakeup(&s->sin);
205 read_bytes = len - s->datalen;
206 if (read_bytes != len) {
207 /* We'll get passed in the unconsumed data with the next call */
208 s->datalen = 0;
209 s->datapos = NULL;
210 s->blocked = true;
212 return read_bytes;
215 static void char_spice_finalize(Object *obj)
217 SpiceChardev *s = SPICE_CHARDEV(obj);
219 vmc_unregister_interface(s);
221 if (s->next.le_prev) {
222 QLIST_REMOVE(s, next);
225 g_free((char *)s->sin.subtype);
226 #if SPICE_SERVER_VERSION >= 0x000c02
227 g_free((char *)s->sin.portname);
228 #endif
231 static void spice_vmc_set_fe_open(struct Chardev *chr, int fe_open)
233 SpiceChardev *s = SPICE_CHARDEV(chr);
234 if (fe_open) {
235 vmc_register_interface(s);
236 } else {
237 vmc_unregister_interface(s);
241 static void spice_port_set_fe_open(struct Chardev *chr, int fe_open)
243 #if SPICE_SERVER_VERSION >= 0x000c02
244 SpiceChardev *s = SPICE_CHARDEV(chr);
246 if (fe_open) {
247 spice_server_port_event(&s->sin, SPICE_PORT_EVENT_OPENED);
248 } else {
249 spice_server_port_event(&s->sin, SPICE_PORT_EVENT_CLOSED);
251 #endif
254 static void spice_chr_accept_input(struct Chardev *chr)
256 SpiceChardev *s = SPICE_CHARDEV(chr);
258 spice_server_char_device_wakeup(&s->sin);
261 static void chr_open(Chardev *chr, const char *subtype)
263 SpiceChardev *s = SPICE_CHARDEV(chr);
265 s->active = false;
266 s->sin.subtype = g_strdup(subtype);
268 QLIST_INSERT_HEAD(&spice_chars, s, next);
271 static void qemu_chr_open_spice_vmc(Chardev *chr,
272 ChardevBackend *backend,
273 bool *be_opened,
274 Error **errp)
276 ChardevSpiceChannel *spicevmc = backend->u.spicevmc.data;
277 const char *type = spicevmc->type;
278 const char **psubtype = spice_server_char_device_recognized_subtypes();
280 for (; *psubtype != NULL; ++psubtype) {
281 if (strcmp(type, *psubtype) == 0) {
282 break;
285 if (*psubtype == NULL) {
286 char *subtypes = g_strjoinv(", ",
287 (gchar **)spice_server_char_device_recognized_subtypes());
289 error_setg(errp, "unsupported type name: %s", type);
290 error_append_hint(errp, "allowed spice char type names: %s\n",
291 subtypes);
293 g_free(subtypes);
294 return;
297 *be_opened = false;
298 chr_open(chr, type);
301 #if SPICE_SERVER_VERSION >= 0x000c02
302 static void qemu_chr_open_spice_port(Chardev *chr,
303 ChardevBackend *backend,
304 bool *be_opened,
305 Error **errp)
307 ChardevSpicePort *spiceport = backend->u.spiceport.data;
308 const char *name = spiceport->fqdn;
309 SpiceChardev *s;
311 if (name == NULL) {
312 error_setg(errp, "missing name parameter");
313 return;
316 chr_open(chr, "port");
318 *be_opened = false;
319 s = SPICE_CHARDEV(chr);
320 s->sin.portname = g_strdup(name);
323 void qemu_spice_register_ports(void)
325 SpiceChardev *s;
327 QLIST_FOREACH(s, &spice_chars, next) {
328 if (s->sin.portname == NULL) {
329 continue;
331 vmc_register_interface(s);
334 #endif
336 static void qemu_chr_parse_spice_vmc(QemuOpts *opts, ChardevBackend *backend,
337 Error **errp)
339 const char *name = qemu_opt_get(opts, "name");
340 ChardevSpiceChannel *spicevmc;
342 if (name == NULL) {
343 error_setg(errp, "chardev: spice channel: no name given");
344 return;
346 backend->type = CHARDEV_BACKEND_KIND_SPICEVMC;
347 spicevmc = backend->u.spicevmc.data = g_new0(ChardevSpiceChannel, 1);
348 qemu_chr_parse_common(opts, qapi_ChardevSpiceChannel_base(spicevmc));
349 spicevmc->type = g_strdup(name);
352 static void qemu_chr_parse_spice_port(QemuOpts *opts, ChardevBackend *backend,
353 Error **errp)
355 const char *name = qemu_opt_get(opts, "name");
356 ChardevSpicePort *spiceport;
358 if (name == NULL) {
359 error_setg(errp, "chardev: spice port: no name given");
360 return;
362 backend->type = CHARDEV_BACKEND_KIND_SPICEPORT;
363 spiceport = backend->u.spiceport.data = g_new0(ChardevSpicePort, 1);
364 qemu_chr_parse_common(opts, qapi_ChardevSpicePort_base(spiceport));
365 spiceport->fqdn = g_strdup(name);
368 static void char_spice_class_init(ObjectClass *oc, void *data)
370 ChardevClass *cc = CHARDEV_CLASS(oc);
372 cc->chr_write = spice_chr_write;
373 cc->chr_add_watch = spice_chr_add_watch;
374 cc->chr_accept_input = spice_chr_accept_input;
377 static const TypeInfo char_spice_type_info = {
378 .name = TYPE_CHARDEV_SPICE,
379 .parent = TYPE_CHARDEV,
380 .instance_size = sizeof(SpiceChardev),
381 .instance_finalize = char_spice_finalize,
382 .class_init = char_spice_class_init,
383 .abstract = true,
386 static void char_spicevmc_class_init(ObjectClass *oc, void *data)
388 ChardevClass *cc = CHARDEV_CLASS(oc);
390 cc->parse = qemu_chr_parse_spice_vmc;
391 cc->open = qemu_chr_open_spice_vmc;
392 cc->chr_set_fe_open = spice_vmc_set_fe_open;
395 static const TypeInfo char_spicevmc_type_info = {
396 .name = TYPE_CHARDEV_SPICEVMC,
397 .parent = TYPE_CHARDEV_SPICE,
398 .class_init = char_spicevmc_class_init,
401 static void char_spiceport_class_init(ObjectClass *oc, void *data)
403 ChardevClass *cc = CHARDEV_CLASS(oc);
405 cc->parse = qemu_chr_parse_spice_port;
406 cc->open = qemu_chr_open_spice_port;
407 cc->chr_set_fe_open = spice_port_set_fe_open;
410 static const TypeInfo char_spiceport_type_info = {
411 .name = TYPE_CHARDEV_SPICEPORT,
412 .parent = TYPE_CHARDEV_SPICE,
413 .class_init = char_spiceport_class_init,
416 static void register_types(void)
418 type_register_static(&char_spice_type_info);
419 type_register_static(&char_spicevmc_type_info);
420 type_register_static(&char_spiceport_type_info);
423 type_init(register_types);