aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeff Cody <jcody@redhat.com>2015-01-27 08:33:55 -0500
committerKevin Wolf <kwolf@redhat.com>2015-02-06 17:24:21 +0100
commite729fa6afed3aa917287b63034244f548b79ec60 (patch)
tree8bb0af56cc2acc5f5145b53f7f91bb8cba2a42cd
parent319fc53e344d5cead970c74f088ae5c607d426b3 (diff)
downloadqemu-e729fa6afed3aa917287b63034244f548b79ec60.zip
qemu-e729fa6afed3aa917287b63034244f548b79ec60.tar.gz
qemu-e729fa6afed3aa917287b63034244f548b79ec60.tar.bz2
block: fix off-by-one error in qcow and qcow2
This fixes an off-by-one error introduced in 9a29e18. Both qcow and qcow2 need to make sure to leave room for string terminator '\0' for the backing file, so the max length of the non-terminated string is either 1023 or PATH_MAX - 1. Reported-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Jeff Cody <jcody@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
-rw-r--r--block/qcow.c2
-rw-r--r--block/qcow2.c2
2 files changed, 2 insertions, 2 deletions
diff --git a/block/qcow.c b/block/qcow.c
index ccbe9e0..0558969 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -215,7 +215,7 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
/* read the backing file name */
if (header.backing_file_offset != 0) {
len = header.backing_file_size;
- if (len > 1023 || len > sizeof(bs->backing_file)) {
+ if (len > 1023 || len >= sizeof(bs->backing_file)) {
error_setg(errp, "Backing file name too long");
ret = -EINVAL;
goto fail;
diff --git a/block/qcow2.c b/block/qcow2.c
index dbaf016..7e614d7 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -869,7 +869,7 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
if (header.backing_file_offset != 0) {
len = header.backing_file_size;
if (len > MIN(1023, s->cluster_size - header.backing_file_offset) ||
- len > sizeof(bs->backing_file)) {
+ len >= sizeof(bs->backing_file)) {
error_setg(errp, "Backing file name too long");
ret = -EINVAL;
goto fail;