On 05.02.24 18:26, Stefan Hajnoczi wrote:
Hanna Czenczek <[email protected]> noted that the array index in virtio_blk_dma_restart_cb() is not bounds-checked:g_autofree VirtIOBlockReq **vq_rq = g_new0(VirtIOBlockReq *, num_queues); ... while (rq) { VirtIOBlockReq *next = rq->next; uint16_t idx = virtio_get_queue_index(rq->vq); rq->next = vq_rq[idx]; ^^^^^^^^^^ The code is correct because both rq->vq and vq_rq[] depend on num_queues, but this is indirect and not 100% obvious. Add an assertion. Suggested-by: Hanna Czenczek <[email protected]> Signed-off-by: Stefan Hajnoczi <[email protected]> --- hw/block/virtio-blk.c | 1 + 1 file changed, 1 insertion(+)
Reviewed-by: Hanna Czenczek <[email protected]>
