"Dr. David Alan Gilbert" <dgilb...@redhat.com> wrote: > * Juan Quintela (quint...@redhat.com) wrote: >> "Dr. David Alan Gilbert" <dgilb...@redhat.com> wrote: >> > * Juan Quintela (quint...@redhat.com) wrote: >> > I think that needs validating to ensure that the source didn't >> > send us junk and cause us to overwrite after the end of block->host >> >> if (offset > block->used_length) { >> error_setg(errp, "multifd: offest too long %" PRId64 >> " (max %" PRId64 ")", >> offset, block->max_length); >> return -1; >> } >> ?? > > It's probably (offset + TARGET_PAGE_SIZE) that needs checking > but it needs doing in a wrap-safe way. >
if ((offset + TARGET_PAGE_SIZE) < offset) { error_setg(errp, "multifd: offset %" PRId64 " wraps around" " with offset: %" PRId64, offset, block->max_length); return -1; } if ((offset + TARGET_PAGE_SIZE) > block->used_length) { error_setg(errp, "multifd: offset too long %" PRId64 " (max %" PRId64 ")", offset, block->max_length); return -1; } Sometimes I wonder how is that we don't have ramblock_contains_range(ramblock, start, size); But well, c'est la vie. Later, Juan.