Index: xen-3.3.1-testing/tools/ioemu-remote/block.c =================================================================== --- xen-3.3.1-testing.orig/tools/ioemu-remote/block.c +++ xen-3.3.1-testing/tools/ioemu-remote/block.c @@ -630,6 +630,9 @@ int bdrv_write(BlockDriverState *bs, int return 0; } } else { + unsigned int ns = sector_num * 512; + if (ns < 0) + return -1; return drv->bdrv_write(bs, sector_num, buf, nb_sectors); } } Index: xen-3.3.1-testing/tools/ioemu-remote/hw/ne2000.c =================================================================== --- xen-3.3.1-testing.orig/tools/ioemu-remote/hw/ne2000.c +++ xen-3.3.1-testing/tools/ioemu-remote/hw/ne2000.c @@ -218,7 +218,7 @@ static int ne2000_can_receive(void *opaq NE2000State *s = opaque; if (s->cmd & E8390_STOP) - return 1; + return 0; return !ne2000_buffer_full(s); } Index: xen-3.3.1-testing/tools/ioemu-remote/hw/pc.c =================================================================== --- xen-3.3.1-testing.orig/tools/ioemu-remote/hw/pc.c +++ xen-3.3.1-testing/tools/ioemu-remote/hw/pc.c @@ -387,7 +387,8 @@ static void bochs_bios_write(void *opaqu case 0x400: case 0x401: fprintf(stderr, "BIOS panic at rombios.c, line %d\n", val); - exit(1); + /* according to documentation, these can be safely ignored */ + break; case 0x402: case 0x403: #ifdef DEBUG_BIOS @@ -410,8 +411,9 @@ static void bochs_bios_write(void *opaqu /* LGPL'ed VGA BIOS messages */ case 0x501: case 0x502: + /* according to documentation, these can be safely ignored */ fprintf(stderr, "VGA BIOS panic, line %d\n", val); - exit(1); + break; case 0x500: case 0x503: #ifdef DEBUG_BIOS Index: xen-3.3.1-testing/tools/ioemu-remote/target-i386/translate.c =================================================================== --- xen-3.3.1-testing.orig/tools/ioemu-remote/target-i386/translate.c +++ xen-3.3.1-testing/tools/ioemu-remote/target-i386/translate.c @@ -5661,6 +5661,7 @@ static target_ulong disas_insn(DisasCont gen_jmp_im(pc_start - s->cs_base); gen_op_into(s->pc - pc_start); break; +#ifdef WANT_ICEBP case 0xf1: /* icebp (undocumented, exits to external debugger) */ if (gen_svm_check_intercept(s, pc_start, SVM_EXIT_ICEBP)) break; @@ -5672,6 +5673,7 @@ static target_ulong disas_insn(DisasCont cpu_set_log(CPU_LOG_INT | CPU_LOG_TB_IN_ASM); #endif break; +#endif /* icebp */ case 0xfa: /* cli */ if (!s->vm86) { if (s->cpl <= s->iopl) { Index: xen-3.3.1-testing/tools/ioemu-remote/vl.c =================================================================== --- xen-3.3.1-testing.orig/tools/ioemu-remote/vl.c +++ xen-3.3.1-testing/tools/ioemu-remote/vl.c @@ -4380,8 +4380,8 @@ typedef struct NetSocketState { VLANClientState *vc; int fd; int state; /* 0 = getting length, 1 = getting data */ - int index; - int packet_len; + unsigned int index; + unsigned int packet_len; uint8_t buf[4096]; struct sockaddr_in dgram_dst; /* contains inet host and port destination iff connectionless (SOCK_DGRAM) */ } NetSocketState; @@ -4412,7 +4412,8 @@ static void net_socket_receive_dgram(voi static void net_socket_send(void *opaque) { NetSocketState *s = opaque; - int l, size, err; + int size, err; + unsigned l; uint8_t buf1[4096]; const uint8_t *buf; @@ -4451,7 +4452,15 @@ static void net_socket_send(void *opaque l = s->packet_len - s->index; if (l > size) l = size; - memcpy(s->buf + s->index, buf, l); + if (s->index + l <= sizeof(s->buf)) { + memcpy(s->buf + s->index, buf, l); + } else { + fprintf(stderr, "serious error: oversized packet received," + "connection terminated.\n"); + s->state = 0; + goto eoc; + } + s->index += l; buf += l; size -= l;