qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH 1/4] load_image_targphys() should enforce the ma


From: Stefan Weil
Subject: Re: [Qemu-devel] [PATCH 1/4] load_image_targphys() should enforce the max size
Date: Wed, 11 Jan 2012 07:19:00 +0100
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.24) Gecko/20111108 Thunderbird/3.1.16

Am 11.01.2012 06:44, schrieb David Gibson:
From: Benjamin Herrenschmidt <address@hidden>

load_image_targphys() gets passed a max size for the file, but
doesn't enforce it at all. Add a check and return -1 (error) if
the file is too big, without loading it.

Signed-off-by: Benjamin Herrenschmidt <address@hidden>
Signed-off-by: David Gibson <address@hidden>
---
hw/loader.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/hw/loader.c b/hw/loader.c
index 446b628..7ad9e22 100644
--- a/hw/loader.c
+++ b/hw/loader.c
@@ -108,6 +108,8 @@ int load_image_targphys(const char *filename,
int size;

size = get_image_size(filename);
+ if (size > max_sz)
+ return -1;
if (size > 0)
rom_add_file_fixed(filename, addr, -1);
return size;

Even if this file is full of block statements without braces,
we should not add more of them. See CODING_STYLE and
scripts/checkpatch.pl.

There remains an additional problem:
Using 'int' for the size of files was sufficient 10 years ago,
but it is that no longer. get_image_size() silently reduced the
return value from lseek() to an 'int' value. So even with your
patch, very large files will be loaded (partially)!

Regards,
Stefan Weil




reply via email to

[Prev in Thread] Current Thread [Next in Thread]