block: Limit size to INT_MAX in bdrv_check_byte_request()

Commit 8f4754ed intended to protect against integer overflow bugs in block drivers by making sure that a single request that is passed to drivers is no longer than INT_MAX bytes. However, meanwhile there are some callers that don't use that code path any more but call bdrv_check_byte_request() directy, so let's add a check there as well. Signed-off-by: N Kevin Wolf <kwolf@redhat.com> Reviewed-by: N Max Reitz <mreitz@redhat.com>

block: Limit size to INT_MAX in bdrv_check_byte_request()
Commit 8f4754ed intended to protect against integer overflow bugs in block drivers by making sure that a single request that is passed to drivers is no longer than INT_MAX bytes. However, meanwhile there are some callers that don't use that code path any more but call bdrv_check_byte_request() directy, so let's add a check there as well. Signed-off-by: N Kevin Wolf <kwolf@redhat.com> Reviewed-by: N Max Reitz <mreitz@redhat.com>
1dd3a447 · Kevin Wolf · 54db38a4 · 1dd3a447
隐藏空白更改
内联并排

Showing with 4 addition and 0 deletion

block.c block.c +4 -0

未找到文件。
--- a/block.c
+++ b/block.c
@@ -2581,6 +2581,10 @@ static int bdrv_check_byte_request(BlockDriverState *bs, int64_t offset,
 {
    int64_t len;

+    if (size > INT_MAX) {
+        return -EIO;
+    }
+
    if (!bdrv_is_inserted(bs))
        return -ENOMEDIUM;