From e2863d35f2aca7f9f2651c7d0f0569a7f87fb7e1 Mon Sep 17 00:00:00 2001
From: Keir Fraser <keir@xensource.com>
Date: Thu, 8 Nov 2007 18:26:08 +0000
Subject: [PATCH] blkback: Sanity-check nr_segments parameter. From: Gerd
 Hoffmann <kraxel@redhat.com> Signed-off-by: Keir Fraser
 <keir.fraser@eu.citrix.com>

---
 include/xen/blkif.h | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/include/xen/blkif.h b/include/xen/blkif.h
index 4d6c6638..aaec9baf 100644
--- a/include/xen/blkif.h
+++ b/include/xen/blkif.h
@@ -72,25 +72,29 @@ enum blkif_protocol {
 
 static void inline blkif_get_x86_32_req(blkif_request_t *dst, blkif_x86_32_request_t *src)
 {
-	int i;
+	int i, n = BLKIF_MAX_SEGMENTS_PER_REQUEST;
 	dst->operation = src->operation;
 	dst->nr_segments = src->nr_segments;
 	dst->handle = src->handle;
 	dst->id = src->id;
 	dst->sector_number = src->sector_number;
-	for (i = 0; i < src->nr_segments; i++)
+	if (n > src->nr_segments)
+		n = src->nr_segments;
+	for (i = 0; i < n; i++)
 		dst->seg[i] = src->seg[i];
 }
 
 static void inline blkif_get_x86_64_req(blkif_request_t *dst, blkif_x86_64_request_t *src)
 {
-	int i;
+	int i, n = BLKIF_MAX_SEGMENTS_PER_REQUEST;
 	dst->operation = src->operation;
 	dst->nr_segments = src->nr_segments;
 	dst->handle = src->handle;
 	dst->id = src->id;
 	dst->sector_number = src->sector_number;
-	for (i = 0; i < src->nr_segments; i++)
+	if (n > src->nr_segments)
+		n = src->nr_segments;
+	for (i = 0; i < n; i++)
 		dst->seg[i] = src->seg[i];
 }
 
-- 
2.39.5