On 31/03/15 14:30, Julien Grall wrote: > >> Furthermore, two size parameters serves no useful purpose. The caller >> must always be in a position to decide a plausible upper bound. > I don't understand the problem to have two size parameters... > > The first one is the size given by the guest while the second one if the > upper bound. > > The maximum size may change from every caller. Hence the second size > parameter.
The caller shouldn't even be calling safe_copy_string_from_guest() with a guest-controlled-implausibly-large size. The caller should be doing something like: if ( usersize > PLAUSIBLE_UPPER_BOUND ) ... fail else data = safe_copy_string_from_guest(hnd, usersize). Mixing plausibility checks and string copying in a single function is a antipattern, and IMO should not be moved into a common helper function like this. ~Andrew _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
