Commit e729fa6a authored Jan 27, 2015 by Jeff Cody Committed by Kevin Wolf Feb 06, 2015

block: fix off-by-one error in qcow and qcow2



This fixes an off-by-one error introduced in 9a29e18f.  Both qcow and
qcow2 need to make sure to leave room for string terminator '\0' for
the backing file, so the max length of the non-terminated string is
either 1023 or PATH_MAX - 1.

Reported-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Jeff Cody <jcody@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>

parent 319fc53e

block/qcow.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -215,7 +215,7 @@ static int qcow_open(BlockDriverState bs, QDict options, int flags,
		/* read the backing file name */
		if (header.backing_file_offset != 0) {
		len = header.backing_file_size;
		if (len > 1023 \|\| len > sizeof(bs->backing_file)) {
		if (len > 1023 \|\| len >= sizeof(bs->backing_file)) {
		error_setg(errp, "Backing file name too long");
		ret = -EINVAL;
		goto fail;

block/qcow2.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -869,7 +869,7 @@ static int qcow2_open(BlockDriverState bs, QDict options, int flags,
		if (header.backing_file_offset != 0) {
		len = header.backing_file_size;
		if (len > MIN(1023, s->cluster_size - header.backing_file_offset) \|\|
		len > sizeof(bs->backing_file)) {
		len >= sizeof(bs->backing_file)) {
		error_setg(errp, "Backing file name too long");
		ret = -EINVAL;
		goto fail;