Commit fbb7b4e0804d2168f24142eebf7552adde1968dc
Committed by
Anthony Liguori
Anthony Liguori
1 parent
989cebff
Improve block range checks
This patch makes the range checks for block requests more strict: It fixes a potential integer overflow and checks for negative offsets. Also, it adds the check for compressed writes. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Showing
1 changed file
with
6 additions
and
1 deletions
block.c
| @@ -578,7 +578,10 @@ static int bdrv_check_byte_request(BlockDriverState *bs, int64_t offset, | @@ -578,7 +578,10 @@ static int bdrv_check_byte_request(BlockDriverState *bs, int64_t offset, | ||
| 578 | 578 | ||
| 579 | len = bdrv_getlength(bs); | 579 | len = bdrv_getlength(bs); |
| 580 | 580 | ||
| 581 | - if ((offset + size) > len) | 581 | + if (offset < 0) |
| 582 | + return -EIO; | ||
| 583 | + | ||
| 584 | + if ((offset > len) || (len - offset < size)) | ||
| 582 | return -EIO; | 585 | return -EIO; |
| 583 | 586 | ||
| 584 | return 0; | 587 | return 0; |
| @@ -1150,6 +1153,8 @@ int bdrv_write_compressed(BlockDriverState *bs, int64_t sector_num, | @@ -1150,6 +1153,8 @@ int bdrv_write_compressed(BlockDriverState *bs, int64_t sector_num, | ||
| 1150 | return -ENOMEDIUM; | 1153 | return -ENOMEDIUM; |
| 1151 | if (!drv->bdrv_write_compressed) | 1154 | if (!drv->bdrv_write_compressed) |
| 1152 | return -ENOTSUP; | 1155 | return -ENOTSUP; |
| 1156 | + if (bdrv_check_request(bs, sector_num, nb_sectors)) | ||
| 1157 | + return -EIO; | ||
| 1153 | return drv->bdrv_write_compressed(bs, sector_num, buf, nb_sectors); | 1158 | return drv->bdrv_write_compressed(bs, sector_num, buf, nb_sectors); |
| 1154 | } | 1159 | } |
| 1155 | 1160 |