debuggers.hg

changeset 20934:02107eca8fb7

libxc: Check full range of pfns for xc_dom_pfn_to_ptr

Previously, passing a valid pfn but an overly large count to
xc_dom_pfn_to_ptr, and functions which call it, would run off the end
of the pfn array giving undefined behaviour.

It is tempting to change this check to an assert, as no callers should
be providing invalid parameters here. But this is probably best not
done while frozen for 4.0.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
author Keir Fraser <keir.fraser@citrix.com>
date Wed Feb 03 09:45:40 2010 +0000 (2010-02-03)
parents b48b5e688470
children 7a10f8513b3f
files tools/libxc/xc_dom_core.c
line diff
     1.1 --- a/tools/libxc/xc_dom_core.c	Wed Feb 03 09:45:25 2010 +0000
     1.2 +++ b/tools/libxc/xc_dom_core.c	Wed Feb 03 09:45:40 2010 +0000
     1.3 @@ -288,7 +288,9 @@ void *xc_dom_pfn_to_ptr(struct xc_dom_im
     1.4      unsigned int page_shift = XC_DOM_PAGE_SHIFT(dom);
     1.5      char *mode = "unset";
     1.6  
     1.7 -    if ( pfn > dom->total_pages )
     1.8 +    if ( pfn > dom->total_pages ||    /* multiple checks to avoid overflows */
     1.9 +         count > dom->total_pages ||
    1.10 +         pfn > dom->total_pages - count )
    1.11      {
    1.12          xc_dom_printf("%s: pfn out of range (0x%" PRIpfn " > 0x%" PRIpfn ")\n",
    1.13                        __FUNCTION__, pfn, dom->total_pages);