peterdelevoryas / rpms / qemu

Forked from rpms/qemu 2 years ago
Clone

Blame 0105-qcow1-Stricter-backing-file-length-check.patch

12cd54
From deaa4693c8533862fdda9bf584c24d4f2ef50029 Mon Sep 17 00:00:00 2001
12cd54
From: Kevin Wolf <kwolf@redhat.com>
12cd54
Date: Thu, 8 May 2014 13:35:09 +0200
12cd54
Subject: [PATCH] qcow1: Stricter backing file length check
12cd54
12cd54
Like qcow2 since commit 6d33e8e7, error out on invalid lengths instead
12cd54
of silently truncating them to 1023.
12cd54
12cd54
Also don't rely on bdrv_pread() catching integer overflows that make len
12cd54
negative, but use unsigned variables in the first place.
12cd54
12cd54
Cc: qemu-stable@nongnu.org
12cd54
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
12cd54
Reviewed-by: Benoit Canet <benoit@irqsave.net>
12cd54
(cherry picked from commit d66e5cee002c471b78139228a4e7012736b375f9)
12cd54
12cd54
Conflicts:
12cd54
	tests/qemu-iotests/092
12cd54
	tests/qemu-iotests/092.out
12cd54
---
12cd54
 block/qcow.c | 7 +++++--
12cd54
 1 file changed, 5 insertions(+), 2 deletions(-)
12cd54
12cd54
diff --git a/block/qcow.c b/block/qcow.c
12cd54
index f9cb009..c0a3b89 100644
12cd54
--- a/block/qcow.c
12cd54
+++ b/block/qcow.c
12cd54
@@ -97,7 +97,8 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
12cd54
                      Error **errp)
12cd54
 {
12cd54
     BDRVQcowState *s = bs->opaque;
12cd54
-    int len, i, shift, ret;
12cd54
+    unsigned int len, i, shift;
12cd54
+    int ret;
12cd54
     QCowHeader header;
12cd54
 
12cd54
     ret = bdrv_pread(bs->file, 0, &header, sizeof(header));
12cd54
@@ -201,7 +202,9 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
12cd54
     if (header.backing_file_offset != 0) {
12cd54
         len = header.backing_file_size;
12cd54
         if (len > 1023) {
12cd54
-            len = 1023;
12cd54
+            error_setg(errp, "Backing file name too long");
12cd54
+            ret = -EINVAL;
12cd54
+            goto fail;
12cd54
         }
12cd54
         ret = bdrv_pread(bs->file, header.backing_file_offset,
12cd54
                    bs->backing_file, len);