aboutsummaryrefslogtreecommitdiff
path: root/block/qcow.c
diff options
context:
space:
mode:
authorKevin Wolf <kwolf@redhat.com>2014-05-08 13:35:09 +0200
committerKevin Wolf <kwolf@redhat.com>2014-05-19 11:36:49 +0200
commitd66e5cee002c471b78139228a4e7012736b375f9 (patch)
treee6304da0d058cf822920f6e833695eaf6ca7f189 /block/qcow.c
parent46485de0cb357b57373e1ca895adedf1f3ed46ec (diff)
downloadqemu-d66e5cee002c471b78139228a4e7012736b375f9.zip
qemu-d66e5cee002c471b78139228a4e7012736b375f9.tar.gz
qemu-d66e5cee002c471b78139228a4e7012736b375f9.tar.bz2
qcow1: Stricter backing file length check
Like qcow2 since commit 6d33e8e7, error out on invalid lengths instead of silently truncating them to 1023. Also don't rely on bdrv_pread() catching integer overflows that make len negative, but use unsigned variables in the first place. Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Benoit Canet <benoit@irqsave.net>
Diffstat (limited to 'block/qcow.c')
-rw-r--r--block/qcow.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/block/qcow.c b/block/qcow.c
index 3566c05..7fd57d7 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -97,7 +97,8 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
Error **errp)
{
BDRVQcowState *s = bs->opaque;
- int len, i, shift, ret;
+ unsigned int len, i, shift;
+ int ret;
QCowHeader header;
ret = bdrv_pread(bs->file, 0, &header, sizeof(header));
@@ -202,7 +203,9 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
if (header.backing_file_offset != 0) {
len = header.backing_file_size;
if (len > 1023) {
- len = 1023;
+ error_setg(errp, "Backing file name too long");
+ ret = -EINVAL;
+ goto fail;
}
ret = bdrv_pread(bs->file, header.backing_file_offset,
bs->backing_file, len);