On Mon, 2026-01-12 at 19:00 -0500, Joel Fernandes wrote: > Since this subtraction's values comes from fw, it would be good to use > checked_sub(). Otherwise, this could: > > 1. blow up if overflow checking is enabled. > 2. len can underflow and be entirely plausible but incorrect, causing > unpredictable failures. > > I am fixing other similar existing issues in nova-core as well but since this > patch is in flight, it'd be great to fix it in the next posting (it sounds > like > there will be a next posting).
I'll make this fix for v6, but stuff like this is why I think the constructors for these objects should verify the bits of the images in fw, and return a Result<> if they are corrupted.
