On Fri, Jun 06, 2014 at 09:53:27AM +0800, Fam Zheng wrote:
> @@ -200,17 +193,12 @@ static int process_request(VirtIOBlockDataPlane *s,
> VirtQueueElement *elem)
> }
> iov_discard_front(&iov, &out_num, sizeof(outhdr));
>
> + /* This is always true because it is only 1 byte, but checked here in
> case
> + * the header gets bigger in the future. */
> + assert(in_iov[in_num - 1].iov_len >= sizeof(*inhdr));
> /* Grab inhdr for later */
> - in_size = iov_size(in_iov, in_num);
> - if (in_size < sizeof(struct virtio_blk_inhdr)) {
> - error_report("virtio_blk request inhdr too short");
> - return -EFAULT;
> - }
This assertion can be triggered by the guest. It even accesses
undefined memory when in_num == 0.
Please be careful, we need to validate guest input.
Stefan
