* [Qemu-devel] [PATCH] qcow2: Fix access after end of array
@ 2010-02-16 14:54 Kevin Wolf
2010-02-19 22:01 ` Anthony Liguori
0 siblings, 1 reply; 2+ messages in thread
From: Kevin Wolf @ 2010-02-16 14:54 UTC (permalink / raw)
To: qemu-devel; +Cc: kwolf
If a write requests crosses a L2 table boundary and all clusters until the
end of the L2 table are usable for the request, we must not look at the next
L2 entry because we already have arrived at the end of the array.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
block/qcow2-cluster.c | 8 ++++++--
1 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
index 3501a94..b13b693 100644
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -750,12 +750,15 @@ int qcow2_alloc_cluster_offset(BlockDriverState *bs, uint64_t offset,
while (i < nb_clusters) {
i += count_contiguous_clusters(nb_clusters - i, s->cluster_size,
&l2_table[l2_index], i, 0);
-
- if(be64_to_cpu(l2_table[l2_index + i]))
+ if ((i >= nb_clusters) || be64_to_cpu(l2_table[l2_index + i])) {
break;
+ }
i += count_contiguous_free_clusters(nb_clusters - i,
&l2_table[l2_index + i]);
+ if (i >= nb_clusters) {
+ break;
+ }
cluster_offset = be64_to_cpu(l2_table[l2_index + i]);
@@ -763,6 +766,7 @@ int qcow2_alloc_cluster_offset(BlockDriverState *bs, uint64_t offset,
(cluster_offset & QCOW_OFLAG_COMPRESSED))
break;
}
+ assert(i <= nb_clusters);
nb_clusters = i;
/*
--
1.6.6
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [Qemu-devel] [PATCH] qcow2: Fix access after end of array
2010-02-16 14:54 [Qemu-devel] [PATCH] qcow2: Fix access after end of array Kevin Wolf
@ 2010-02-19 22:01 ` Anthony Liguori
0 siblings, 0 replies; 2+ messages in thread
From: Anthony Liguori @ 2010-02-19 22:01 UTC (permalink / raw)
To: Kevin Wolf; +Cc: qemu-devel
On 02/16/2010 08:54 AM, Kevin Wolf wrote:
> If a write requests crosses a L2 table boundary and all clusters until the
> end of the L2 table are usable for the request, we must not look at the next
> L2 entry because we already have arrived at the end of the array.
>
> Signed-off-by: Kevin Wolf<kwolf@redhat.com>
>
Applied. Thanks.
Regards,
Anthony Liguori
> ---
> block/qcow2-cluster.c | 8 ++++++--
> 1 files changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
> index 3501a94..b13b693 100644
> --- a/block/qcow2-cluster.c
> +++ b/block/qcow2-cluster.c
> @@ -750,12 +750,15 @@ int qcow2_alloc_cluster_offset(BlockDriverState *bs, uint64_t offset,
> while (i< nb_clusters) {
> i += count_contiguous_clusters(nb_clusters - i, s->cluster_size,
> &l2_table[l2_index], i, 0);
> -
> - if(be64_to_cpu(l2_table[l2_index + i]))
> + if ((i>= nb_clusters) || be64_to_cpu(l2_table[l2_index + i])) {
> break;
> + }
>
> i += count_contiguous_free_clusters(nb_clusters - i,
> &l2_table[l2_index + i]);
> + if (i>= nb_clusters) {
> + break;
> + }
>
> cluster_offset = be64_to_cpu(l2_table[l2_index + i]);
>
> @@ -763,6 +766,7 @@ int qcow2_alloc_cluster_offset(BlockDriverState *bs, uint64_t offset,
> (cluster_offset& QCOW_OFLAG_COMPRESSED))
> break;
> }
> + assert(i<= nb_clusters);
> nb_clusters = i;
>
> /*
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2010-02-19 22:01 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-02-16 14:54 [Qemu-devel] [PATCH] qcow2: Fix access after end of array Kevin Wolf
2010-02-19 22:01 ` Anthony Liguori
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).