is_valid_region_access(): account for wrap-around (#624)

AFL++ found this, though we already knew about it, so fix it by comparing
against a saturating addition. This was the only instance of client-controlled
potential overflow I noticed.

Signed-off-by: John Levon <john.levon@nutanix.com>
Reviewed-by: Swapnil Ingle <swapnil.ingle@nutanix.com>
Reviewed-by: Thanos Makatos <thanos.makatos@nutanix.com>

2 files changed, 21 insertions, 0 deletions

diff --git a/test/py/libvfio_user.py b/test/py/libvfio_user.py
index 77b3b67..cbe6156 100644
--- a/test/py/libvfio_user.py
+++ b/test/py/libvfio_user.py
@@ -42,6 +42,8 @@ import socket
 import struct
 import syslog
 
+UINT64_MAX = 18446744073709551615
+
 # from linux/pci_regs.h and linux/pci_defs.h
 
 PCI_HEADER_TYPE_NORMAL = 0
diff --git a/test/py/test_setup_region.py b/test/py/test_setup_region.py
index ac6dc03..76cd1d9 100644
--- a/test/py/test_setup_region.py
+++ b/test/py/test_setup_region.py
@@ -174,5 +174,24 @@ def test_setup_region_cfg_always_cb():
     disconnect_client(ctx, sock)
 
 
+def test_region_offset_overflow():
+    global ctx
+
+    ret = vfu_setup_region(ctx, index=VFU_PCI_DEV_CFG_REGION_IDX,
+                           size=PCI_CFG_SPACE_EXP_SIZE, cb=pci_cfg_region_cb,
+                           flags=(VFU_REGION_FLAG_RW))
+    assert ret == 0
+
+    ret = vfu_realize_ctx(ctx)
+    assert ret == 0
+
+    sock = connect_client(ctx)
+
+    read_region(ctx, sock, VFU_PCI_DEV_CFG_REGION_IDX,
+                offset=UINT64_MAX, count=256, expect=errno.EINVAL)
+
+    disconnect_client(ctx, sock)
+
+
 def test_setup_region_cleanup():
     vfu_destroy_ctx(ctx)