fix: out of bounds read

Signed-off-by: William Henderson <william.henderson@nutanix.com>
author: William Henderson <william.henderson@nutanix.com> 2023-08-07 15:19:35 +0000
committer: John Levon <john.levon@nutanix.com> 2023-09-15 12:59:39 +0100
commit: 47f82c3d2189c38e06443625c2b17a463cef9fe6 (patch)
tree: 716d2380fc79bff5d3cdd70b9a9e0ac10e1f6e87
parent: b08beb648d673702426c9bca44293034929ed149 (diff)
download: libvfio-user-47f82c3d2189c38e06443625c2b17a463cef9fe6.zip
libvfio-user-47f82c3d2189c38e06443625c2b17a463cef9fe6.tar.gz
libvfio-user-47f82c3d2189c38e06443625c2b17a463cef9fe6.tar.bz2
1 files changed, 7 insertions, 1 deletions
diff --git a/lib/migration.c b/lib/migration.c
index e0cecfe..e450576 100644
--- a/lib/migration.c
+++ b/lib/migration.c
@@ -42,7 +42,9 @@
 bool
 MOCK_DEFINE(vfio_migr_state_transition_is_valid)(uint32_t from, uint32_t to)
 {
-    return (transitions[from] & (1 << to)) != 0;
+    return from < VFIO_USER_DEVICE_NUM_STATES
+        && to < VFIO_USER_DEVICE_NUM_STATES
+        && (transitions[from] & (1 << to)) != 0;
 }
 
 /*
@@ -219,6 +221,10 @@ migration_feature_set(vfu_ctx_t *vfu_ctx, uint32_t feature, void *buf)
         uint32_t state;
         ssize_t ret = 0;
         
+        if (res->device_state > VFIO_USER_DEVICE_NUM_STATES) {
+            return ERROR_INT(EINVAL);
+        }
+        
         while (migr->state != res->device_state && ret == 0) {
             state = next_state[migr->state][res->device_state];
author	William Henderson <william.henderson@nutanix.com>	2023-08-07 15:19:35 +0000
committer	John Levon <john.levon@nutanix.com>	2023-09-15 12:59:39 +0100
commit	47f82c3d2189c38e06443625c2b17a463cef9fe6 (patch)
tree	716d2380fc79bff5d3cdd70b9a9e0ac10e1f6e87
parent	b08beb648d673702426c9bca44293034929ed149 (diff)
download	libvfio-user-47f82c3d2189c38e06443625c2b17a463cef9fe6.zip libvfio-user-47f82c3d2189c38e06443625c2b17a463cef9fe6.tar.gz libvfio-user-47f82c3d2189c38e06443625c2b17a463cef9fe6.tar.bz2