Markus Armbruster writes:
> qio_channel_rdma_readv() assigns the size_t value of qemu_rdma_fill()
> to an int variable before it adds it to @done / subtracts it from
> @want, both size_t. Truncation when qemu_rdma_fill() copies more than
> INT_MAX bytes. Seems vanishingly unlikely, but needs fixing all the
> same.
>
> Fixes: 6ddd2d76ca6f (migration: convert RDMA to use QIOChannel interface)
> Signed-off-by: Markus Armbruster
> ---
> migration/rdma.c | 14 +++---
> 1 file changed, 7 insertions(+), 7 deletions(-)
>
> diff --git a/migration/rdma.c b/migration/rdma.c
> index 4289346617..5f423f66f0 100644
> --- a/migration/rdma.c
> +++ b/migration/rdma.c
> @@ -2852,7 +2852,7 @@ static ssize_t qio_channel_rdma_readv(QIOChannel *ioc,
> RDMAControlHeader head;
> int ret = 0;
> ssize_t i;
> -size_t done = 0;
> +size_t done = 0, len;
>
> RCU_READ_LOCK_GUARD();
> rdma = qatomic_rcu_read(>rdmain);
> @@ -2873,9 +2873,9 @@ static ssize_t qio_channel_rdma_readv(QIOChannel *ioc,
> * were given and dish out the bytes until we run
> * out of bytes.
> */
> -ret = qemu_rdma_fill(rdma, data, want, 0);
> -done += ret;
> -want -= ret;
> +len = qemu_rdma_fill(rdma, data, want, 0);
> +done += len;
> +want -= len;
> /* Got what we needed, so go to next iovec */
> if (want == 0) {
> continue;
> @@ -2902,9 +2902,9 @@ static ssize_t qio_channel_rdma_readv(QIOChannel *ioc,
> /*
> * SEND was received with new bytes, now try again.
> */
> -ret = qemu_rdma_fill(rdma, data, want, 0);
> -done += ret;
> -want -= ret;
> +len = qemu_rdma_fill(rdma, data, want, 0);
> +done += len;
> +want -= len;
>
> /* Still didn't get enough, so lets just return */
> if (want) {
Reviewed-by: Fabiano Rosas
