diff options
author | Jeff Cody <jcody@redhat.com> | 2015-01-27 08:33:55 -0500 |
---|---|---|
committer | Kevin Wolf <kwolf@redhat.com> | 2015-02-06 17:24:21 +0100 |
commit | e729fa6afed3aa917287b63034244f548b79ec60 (patch) | |
tree | 8bb0af56cc2acc5f5145b53f7f91bb8cba2a42cd | |
parent | 319fc53e344d5cead970c74f088ae5c607d426b3 (diff) | |
download | qemu-e729fa6afed3aa917287b63034244f548b79ec60.zip qemu-e729fa6afed3aa917287b63034244f548b79ec60.tar.gz qemu-e729fa6afed3aa917287b63034244f548b79ec60.tar.bz2 |
block: fix off-by-one error in qcow and qcow2
This fixes an off-by-one error introduced in 9a29e18. Both qcow and
qcow2 need to make sure to leave room for string terminator '\0' for
the backing file, so the max length of the non-terminated string is
either 1023 or PATH_MAX - 1.
Reported-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Jeff Cody <jcody@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
-rw-r--r-- | block/qcow.c | 2 | ||||
-rw-r--r-- | block/qcow2.c | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/block/qcow.c b/block/qcow.c index ccbe9e0..0558969 100644 --- a/block/qcow.c +++ b/block/qcow.c @@ -215,7 +215,7 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags, /* read the backing file name */ if (header.backing_file_offset != 0) { len = header.backing_file_size; - if (len > 1023 || len > sizeof(bs->backing_file)) { + if (len > 1023 || len >= sizeof(bs->backing_file)) { error_setg(errp, "Backing file name too long"); ret = -EINVAL; goto fail; diff --git a/block/qcow2.c b/block/qcow2.c index dbaf016..7e614d7 100644 --- a/block/qcow2.c +++ b/block/qcow2.c @@ -869,7 +869,7 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags, if (header.backing_file_offset != 0) { len = header.backing_file_size; if (len > MIN(1023, s->cluster_size - header.backing_file_offset) || - len > sizeof(bs->backing_file)) { + len >= sizeof(bs->backing_file)) { error_setg(errp, "Backing file name too long"); ret = -EINVAL; goto fail; |