From deaa4693c8533862fdda9bf584c24d4f2ef50029 Mon Sep 17 00:00:00 2001 From: Kevin Wolf Date: Thu, 8 May 2014 13:35:09 +0200 Subject: [PATCH] qcow1: Stricter backing file length check Like qcow2 since commit 6d33e8e7, error out on invalid lengths instead of silently truncating them to 1023. Also don't rely on bdrv_pread() catching integer overflows that make len negative, but use unsigned variables in the first place. Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf Reviewed-by: Benoit Canet (cherry picked from commit d66e5cee002c471b78139228a4e7012736b375f9) Conflicts: tests/qemu-iotests/092 tests/qemu-iotests/092.out --- block/qcow.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/block/qcow.c b/block/qcow.c index f9cb009..c0a3b89 100644 --- a/block/qcow.c +++ b/block/qcow.c @@ -97,7 +97,8 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags, Error **errp) { BDRVQcowState *s = bs->opaque; - int len, i, shift, ret; + unsigned int len, i, shift; + int ret; QCowHeader header; ret = bdrv_pread(bs->file, 0, &header, sizeof(header)); @@ -201,7 +202,9 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags, if (header.backing_file_offset != 0) { len = header.backing_file_size; if (len > 1023) { - len = 1023; + error_setg(errp, "Backing file name too long"); + ret = -EINVAL; + goto fail; } ret = bdrv_pread(bs->file, header.backing_file_offset, bs->backing_file, len);