aboutsummaryrefslogtreecommitdiff
path: root/block.c
diff options
context:
space:
mode:
authorKevin Wolf <kwolf@redhat.com>2014-04-14 14:48:16 +0200
committerKevin Wolf <kwolf@redhat.com>2014-04-22 11:57:02 +0200
commit1dd3a44753f10970ded50950d28353c00bfcaf91 (patch)
tree282737fd052128bb1a4fd243f93e7f6d1e95ba87 /block.c
parent54db38a47978381e23e7f6479c31a97b5d352f7e (diff)
downloadqemu-1dd3a44753f10970ded50950d28353c00bfcaf91.zip
qemu-1dd3a44753f10970ded50950d28353c00bfcaf91.tar.gz
qemu-1dd3a44753f10970ded50950d28353c00bfcaf91.tar.bz2
block: Limit size to INT_MAX in bdrv_check_byte_request()
Commit 8f4754ed intended to protect against integer overflow bugs in block drivers by making sure that a single request that is passed to drivers is no longer than INT_MAX bytes. However, meanwhile there are some callers that don't use that code path any more but call bdrv_check_byte_request() directy, so let's add a check there as well. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com>
Diffstat (limited to 'block.c')
-rw-r--r--block.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/block.c b/block.c
index 3b7951e..5a0b421 100644
--- a/block.c
+++ b/block.c
@@ -2581,6 +2581,10 @@ static int bdrv_check_byte_request(BlockDriverState *bs, int64_t offset,
{
int64_t len;
+ if (size > INT_MAX) {
+ return -EIO;
+ }
+
if (!bdrv_is_inserted(bs))
return -ENOMEDIUM;