From: Jennifer Herbert Date: Wed, 26 Apr 2017 07:40:00 +0000 (+0200) Subject: hvm/dmop: make copy_buf_{from, to}_guest for a buffer not big enough an error X-Git-Tag: archive/raspbian/4.11.1-1+rpi1~1^2~66^2~2197 X-Git-Url: https://dgit.raspbian.org/%22http://www.example.com/cgi/success/%22http:/www.example.com/cgi/success?a=commitdiff_plain;h=60f07f8adb5d0473b8e820509f2a6dfaa5443ca2;p=xen.git hvm/dmop: make copy_buf_{from, to}_guest for a buffer not big enough an error This makes copying to or from a buf that isn't big enough an error. If the buffer isnt big enough, trying to carry on regardless can only cause trouble later on. Signed-off-by: Jennifer Herbert Reviewed-by: Paul Durrant Release-acked-by: Julien Grall --- diff --git a/xen/arch/x86/hvm/dm.c b/xen/arch/x86/hvm/dm.c index e583e4147e..89186d249e 100644 --- a/xen/arch/x86/hvm/dm.c +++ b/xen/arch/x86/hvm/dm.c @@ -36,30 +36,32 @@ static bool copy_buf_from_guest(const xen_dm_op_buf_t bufs[], unsigned int nr_bufs, void *dst, unsigned int idx, size_t dst_size) { - size_t size; + size_t buf_bytes; if ( idx >= nr_bufs ) return false; - memset(dst, 0, dst_size); - - size = min_t(size_t, dst_size, bufs[idx].size); + buf_bytes = bufs[idx].size; + if ( dst_size > buf_bytes ) + return false; - return !copy_from_guest(dst, bufs[idx].h, size); + return !copy_from_guest(dst, bufs[idx].h, dst_size); } static bool copy_buf_to_guest(const xen_dm_op_buf_t bufs[], unsigned int nr_bufs, unsigned int idx, const void *src, size_t src_size) { - size_t size; + size_t buf_bytes; if ( idx >= nr_bufs ) return false; - size = min_t(size_t, bufs[idx].size, src_size); + buf_bytes = bufs[idx].size; + if ( src_size > buf_bytes ) + return false; - return !copy_to_guest(bufs[idx].h, src, size); + return !copy_to_guest(bufs[idx].h, src, src_size); } static int track_dirty_vram(struct domain *d, xen_pfn_t first_pfn,