| Message ID | 1397653710-22971-3-git-send-email-kwolf@redhat.com |
|---|---|
| State | New |
| Headers | show |
On 16.04.2014 15:08, Kevin Wolf wrote: > Commit 8f4754ed intended to protect against integer overflow bugs in > block drivers by making sure that a single request that is passed to > drivers is no longer than INT_MAX bytes. > > However, meanwhile there are some callers that don't use that code path > any more but call bdrv_check_byte_request() directy, so let's add a > check there as well. > > Signed-off-by: Kevin Wolf <kwolf@redhat.com> > --- > block.c | 4 ++++ > 1 file changed, 4 insertions(+) Reviewed-by: Max Reitz <mreitz@redhat.com>
diff --git a/block.c b/block.c index 8be40bb..bcf9dc9 100644 --- a/block.c +++ b/block.c @@ -2589,6 +2589,10 @@ static int bdrv_check_byte_request(BlockDriverState *bs, int64_t offset, { int64_t len; + if (size > INT_MAX) { + return -EIO; + } + if (!bdrv_is_inserted(bs)) return -ENOMEDIUM;
Commit 8f4754ed intended to protect against integer overflow bugs in block drivers by making sure that a single request that is passed to drivers is no longer than INT_MAX bytes. However, meanwhile there are some callers that don't use that code path any more but call bdrv_check_byte_request() directy, so let's add a check there as well. Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block.c | 4 ++++ 1 file changed, 4 insertions(+)