aboutsummaryrefslogtreecommitdiff
path: root/block/qcow2.c
diff options
context:
space:
mode:
authorKevin Wolf <kwolf@redhat.com>2014-03-26 13:05:47 +0100
committerStefan Hajnoczi <stefanha@redhat.com>2014-04-01 14:19:09 +0200
commit6d33e8e7dc9d40ea105feed4b39caa3e641569e8 (patch)
treedc0f7b63b5d42aa84af6f51dffe16c4193594c59 /block/qcow2.c
parent2d51c32c4b511db8bb9e58208f1e2c25e4c06c85 (diff)
downloadqemu-6d33e8e7dc9d40ea105feed4b39caa3e641569e8.zip
qemu-6d33e8e7dc9d40ea105feed4b39caa3e641569e8.tar.gz
qemu-6d33e8e7dc9d40ea105feed4b39caa3e641569e8.tar.bz2
qcow2: Fix backing file name length check
len could become negative and would pass the check then. Nothing bad happened because bdrv_pread() happens to return an error for negative length values, but make variables for sizes unsigned anyway. This patch also changes the behaviour to error out on invalid lengths instead of silently truncating it to 1023. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Diffstat (limited to 'block/qcow2.c')
-rw-r--r--block/qcow2.c9
1 files changed, 6 insertions, 3 deletions
diff --git a/block/qcow2.c b/block/qcow2.c
index 3639528..cc1bfeb 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -445,7 +445,8 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
Error **errp)
{
BDRVQcowState *s = bs->opaque;
- int len, i, ret = 0;
+ unsigned int len, i;
+ int ret = 0;
QCowHeader header;
QemuOpts *opts;
Error *local_err = NULL;
@@ -721,8 +722,10 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
/* read the backing file name */
if (header.backing_file_offset != 0) {
len = header.backing_file_size;
- if (len > 1023) {
- len = 1023;
+ if (len > MIN(1023, s->cluster_size - header.backing_file_offset)) {
+ error_setg(errp, "Backing file name too long");
+ ret = -EINVAL;
+ goto fail;
}
ret = bdrv_pread(bs->file, header.backing_file_offset,
bs->backing_file, len);