From 284d8c488102b6d59adb2a89930e9e3827f1ba19 Mon Sep 17 00:00:00 2001
From: "kfraser@localhost.localdomain" <kfraser@localhost.localdomain>
Date: Thu, 21 Jun 2007 09:47:39 +0100
Subject: [PATCH] libxenguest: Add missing range-check on count field read from
 a domain save/restore file. Signed-off-by: Keir Fraser <keir@xensource.com>

---
 tools/libxc/xc_domain_restore.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/tools/libxc/xc_domain_restore.c b/tools/libxc/xc_domain_restore.c
index aaabed6d42..3193ce191c 100644
--- a/tools/libxc/xc_domain_restore.c
+++ b/tools/libxc/xc_domain_restore.c
@@ -903,13 +903,14 @@ int xc_domain_restore(int xc_handle, int io_fd, uint32_t dom,
 
     /* Get the list of PFNs that are not in the psuedo-phys map */
     {
-        unsigned int count;
+        unsigned int count = 0;
         unsigned long *pfntab;
         int nr_frees, rc;
 
-        if ( !read_exact(io_fd, &count, sizeof(count)) )
+        if ( !read_exact(io_fd, &count, sizeof(count)) ||
+             (count > (1U << 28)) ) /* up to 1TB of address space */
         {
-            ERROR("Error when reading pfn count");
+            ERROR("Error when reading pfn count (= %u)", count);
             goto out;
         }
 
-- 
2.30.2