Improve block range checks

This patch makes the range checks for block requests more strict: It fixes a
potential integer overflow and checks for negative offsets. Also, it adds the
check for compressed writes.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit fbb7b4e0804d2168f24142eebf7552adde1968dc)

diff --git a/block.c b/block.c
index 3261225f7877ed68442a8397d223b492ca8a4e55..69c6da55f0ec42d56d1a32793da544de2b222123 100644 (file)
--- a/block.c
+++ b/block.c
@@ -559,7 +559,10 @@ static int bdrv_check_byte_request(BlockDriverState *bs, int64_t offset,
 
     len = bdrv_getlength(bs);
 
-    if ((offset + size) > len)
+    if (offset < 0)
+        return -EIO;
+
+    if ((offset > len) || (len - offset < size))
         return -EIO;
 
     return 0;
@@ -1209,6 +1212,8 @@ int bdrv_write_compressed(BlockDriverState *bs, int64_t sector_num,
        return -EIO;
     if (!drv->bdrv_write_compressed)
         return -ENOTSUP;
+    if (bdrv_check_request(bs, sector_num, nb_sectors))
+        return -EIO;
     return drv->bdrv_write_compressed(bs, sector_num, buf, nb_sectors);
 }