Message ID | 1395835569-21193-41-git-send-email-stefanha@redhat.com |
---|---|
State | New |
Headers | show |
On 26.03.2014 13:06, Stefan Hajnoczi wrote: > From: Kevin Wolf <kwolf@redhat.com> > > Limiting the size of a single request to INT_MAX not only fixes a > direct integer overflow in bdrv_check_request() (which would only > trigger bad behaviour with ridiculously huge images, as in close to > 2^64 bytes), but can also prevent overflows in all block drivers. > > Signed-off-by: Kevin Wolf <kwolf@redhat.com> > --- > block.c | 4 ++++ > 1 file changed, 4 insertions(+) Reviewed-by: Max Reitz <mreitz@redhat.com>
diff --git a/block.c b/block.c index acb70fd..7a90a1b 100644 --- a/block.c +++ b/block.c @@ -2588,6 +2588,10 @@ static int bdrv_check_byte_request(BlockDriverState *bs, int64_t offset, static int bdrv_check_request(BlockDriverState *bs, int64_t sector_num, int nb_sectors) { + if (nb_sectors > INT_MAX / BDRV_SECTOR_SIZE) { + return -EIO; + } + return bdrv_check_byte_request(bs, sector_num * BDRV_SECTOR_SIZE, nb_sectors * BDRV_SECTOR_SIZE); }