| Message ID | d60abb1c77ed4387254ff076f9183eab672f3965.1422365520.git.jcody@redhat.com |
|---|---|
| State | New |
| Headers | show |
Am 27.01.2015 um 14:33 hat Jeff Cody geschrieben: > This fixes an off-by-one error introduced in 9a29e18. Both qcow and > qcow2 need to make sure to leave room for string terminator '\0' for > the backing file, so the max length of the non-terminated string is > either 1023 or PATH_MAX - 1. > > Reported-by: Kevin Wolf <kwolf@redhat.com> > Signed-off-by: Jeff Cody <jcody@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Am 27.01.2015 um 14:33 hat Jeff Cody geschrieben: > This fixes an off-by-one error introduced in 9a29e18. Both qcow and > qcow2 need to make sure to leave room for string terminator '\0' for > the backing file, so the max length of the non-terminated string is > either 1023 or PATH_MAX - 1. > > Reported-by: Kevin Wolf <kwolf@redhat.com> > Signed-off-by: Jeff Cody <jcody@redhat.com> Thanks, applied to the block branch. Kevin
diff --git a/block/qcow.c b/block/qcow.c index ccbe9e0..0558969 100644 --- a/block/qcow.c +++ b/block/qcow.c @@ -215,7 +215,7 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags, /* read the backing file name */ if (header.backing_file_offset != 0) { len = header.backing_file_size; - if (len > 1023 || len > sizeof(bs->backing_file)) { + if (len > 1023 || len >= sizeof(bs->backing_file)) { error_setg(errp, "Backing file name too long"); ret = -EINVAL; goto fail; diff --git a/block/qcow2.c b/block/qcow2.c index dbaf016..7e614d7 100644 --- a/block/qcow2.c +++ b/block/qcow2.c @@ -869,7 +869,7 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags, if (header.backing_file_offset != 0) { len = header.backing_file_size; if (len > MIN(1023, s->cluster_size - header.backing_file_offset) || - len > sizeof(bs->backing_file)) { + len >= sizeof(bs->backing_file)) { error_setg(errp, "Backing file name too long"); ret = -EINVAL; goto fail;
This fixes an off-by-one error introduced in 9a29e18. Both qcow and qcow2 need to make sure to leave room for string terminator '\0' for the backing file, so the max length of the non-terminated string is either 1023 or PATH_MAX - 1. Reported-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Jeff Cody <jcody@redhat.com> --- block/qcow.c | 2 +- block/qcow2.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)