On 12/11/20 12:39 PM, Vladimir Sementsov-Ogievskiy wrote: > Actually, we can't extend the io vector in all cases. Handle possible > MAX_IOV and size_t overflows. > > For now add assertion to callers (actually they rely on success anyway) > and fix them in the following patch. > > Add also some additional good assertions to qemu_iovec_init_slice() > while being here. > > Signed-off-by: Vladimir Sementsov-Ogievskiy <vsement...@virtuozzo.com> > --- > include/qemu/iov.h | 2 +- > block/io.c | 10 +++++++--- > util/iov.c | 25 +++++++++++++++++++++++-- > 3 files changed, 31 insertions(+), 6 deletions(-) >
> @@ -492,7 +506,14 @@ bool qemu_iovec_is_zero(QEMUIOVector *qiov, size_t > offset, size_t bytes) > void qemu_iovec_init_slice(QEMUIOVector *qiov, QEMUIOVector *source, > size_t offset, size_t len) > { > - qemu_iovec_init_extended(qiov, NULL, 0, source, offset, len, NULL, 0); > + int ret; > + > + assert(source->size >= len); > + assert(source->size - len >= offset); > + > + /* We shrink the request, so we can't overflow neither size_t nor > MAX_IOV */ We shrink the request, so neither size_t nor MAX_IOV will overflow > + ret = qemu_iovec_init_extended(qiov, NULL, 0, source, offset, len, NULL, > 0); > + assert(ret == 0); > } > > void qemu_iovec_destroy(QEMUIOVector *qiov) > Reviewed-by: Eric Blake <ebl...@redhat.com> -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3226 Virtualization: qemu.org | libvirt.org