From patchwork Tue Jan 27 13:33:55 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeff Cody X-Patchwork-Id: 433484 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id D70251401AC for ; Wed, 28 Jan 2015 00:34:22 +1100 (AEDT) Received: from localhost ([::1]:47444 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YG6Hc-0006U3-TU for incoming@patchwork.ozlabs.org; Tue, 27 Jan 2015 08:34:20 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:51514) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YG6HN-0006BC-3t for qemu-devel@nongnu.org; Tue, 27 Jan 2015 08:34:05 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YG6HI-0006AI-Bw for qemu-devel@nongnu.org; Tue, 27 Jan 2015 08:34:04 -0500 Received: from mx1.redhat.com ([209.132.183.28]:35312) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YG6HI-0006A8-5P for qemu-devel@nongnu.org; Tue, 27 Jan 2015 08:34:00 -0500 Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id t0RDXwYm026741 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Tue, 27 Jan 2015 08:33:59 -0500 Received: from localhost (ovpn-112-98.phx2.redhat.com [10.3.112.98]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t0RDXuTZ015905 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NO); Tue, 27 Jan 2015 08:33:58 -0500 From: Jeff Cody To: qemu-devel@nongnu.org Date: Tue, 27 Jan 2015 08:33:55 -0500 Message-Id: X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 209.132.183.28 Cc: kwolf@redhat.com Subject: [Qemu-devel] [PATCH] block: fix off-by-one error in qcow and qcow2 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org This fixes an off-by-one error introduced in 9a29e18. Both qcow and qcow2 need to make sure to leave room for string terminator '\0' for the backing file, so the max length of the non-terminated string is either 1023 or PATH_MAX - 1. Reported-by: Kevin Wolf Signed-off-by: Jeff Cody Reviewed-by: Kevin Wolf --- block/qcow.c | 2 +- block/qcow2.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/block/qcow.c b/block/qcow.c index ccbe9e0..0558969 100644 --- a/block/qcow.c +++ b/block/qcow.c @@ -215,7 +215,7 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags, /* read the backing file name */ if (header.backing_file_offset != 0) { len = header.backing_file_size; - if (len > 1023 || len > sizeof(bs->backing_file)) { + if (len > 1023 || len >= sizeof(bs->backing_file)) { error_setg(errp, "Backing file name too long"); ret = -EINVAL; goto fail; diff --git a/block/qcow2.c b/block/qcow2.c index dbaf016..7e614d7 100644 --- a/block/qcow2.c +++ b/block/qcow2.c @@ -869,7 +869,7 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags, if (header.backing_file_offset != 0) { len = header.backing_file_size; if (len > MIN(1023, s->cluster_size - header.backing_file_offset) || - len > sizeof(bs->backing_file)) { + len >= sizeof(bs->backing_file)) { error_setg(errp, "Backing file name too long"); ret = -EINVAL; goto fail;