Commit 33f461e0 authored by Kevin Wolf's avatar Kevin Wolf
Browse files

block: Make qiov match the request size until EOF 



If a read request goes across EOF, the block driver sees a shortened
request that stops at EOF (the rest is memsetted in block.c), however
the original qiov was used for this request.

This patch makes the qiov size match the request size, avoiding a
potential buffer overflow in raw-posix.

Signed-off-by: default avatarKevin Wolf <kwolf@redhat.com>
Reviewed-by: default avatarMax Reitz <mreitz@redhat.com>
parent 0ceb849b

block.c

+14 −2
Original line number Diff line number Diff line
@@ -3054,8 +3054,20 @@ static int coroutine_fn bdrv_aligned_preadv(BlockDriverState *bs, 
        max_nb_sectors = ROUND_UP(MAX(0, total_sectors - sector_num),

                                  align >> BDRV_SECTOR_BITS);

        if (max_nb_sectors > 0) {

            ret = drv->bdrv_co_readv(bs, sector_num,

                                     MIN(nb_sectors, max_nb_sectors), qiov);

            QEMUIOVector local_qiov;

            size_t local_sectors;



            max_nb_sectors = MIN(max_nb_sectors, SIZE_MAX / BDRV_SECTOR_BITS);

            local_sectors = MIN(max_nb_sectors, nb_sectors);



            qemu_iovec_init(&local_qiov, qiov->niov);

            qemu_iovec_concat(&local_qiov, qiov, 0,

                              local_sectors * BDRV_SECTOR_SIZE);



            ret = drv->bdrv_co_readv(bs, sector_num, local_sectors,

                                     &local_qiov);



            qemu_iovec_destroy(&local_qiov);

        } else {

            ret = 0;

        }