On 12/11/20 12:39 PM, Vladimir Sementsov-Ogievskiy wrote:
> Actually, we can't extend the io vector in all cases. Handle possible
> MAX_IOV and size_t overflows.
>
> For now add assertion to callers (actually they rely on success anyway)
> and fix them in the following patch.
>
> Add also some additional good assertions to qemu_iovec_init_slice()
> while being here.
>
> Signed-off-by: Vladimir Sementsov-Ogievskiy <[email protected]>
> ---
> include/qemu/iov.h | 2 +-
> block/io.c | 10 +++++++---
> util/iov.c | 25 +++++++++++++++++++++++--
> 3 files changed, 31 insertions(+), 6 deletions(-)
>
> @@ -492,7 +506,14 @@ bool qemu_iovec_is_zero(QEMUIOVector *qiov, size_t
> offset, size_t bytes)
> void qemu_iovec_init_slice(QEMUIOVector *qiov, QEMUIOVector *source,
> size_t offset, size_t len)
> {
> - qemu_iovec_init_extended(qiov, NULL, 0, source, offset, len, NULL, 0);
> + int ret;
> +
> + assert(source->size >= len);
> + assert(source->size - len >= offset);
> +
> + /* We shrink the request, so we can't overflow neither size_t nor
> MAX_IOV */
We shrink the request, so neither size_t nor MAX_IOV will overflow
> + ret = qemu_iovec_init_extended(qiov, NULL, 0, source, offset, len, NULL,
> 0);
> + assert(ret == 0);
> }
>
> void qemu_iovec_destroy(QEMUIOVector *qiov)
>
Reviewed-by: Eric Blake <[email protected]>
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
