diff options
| author | Kevin Wolf <kwolf@redhat.com> | 2014-03-26 13:05:47 +0100 |
|---|---|---|
| committer | Michael Roth <mdroth@linux.vnet.ibm.com> | 2014-07-03 16:18:12 -0500 |
| commit | 5ba151f4dcca96d47896a5f77fa74ab5b6e9b06f (patch) | |
| tree | 25f4f318bd49cc8952c7d4edbbd8dd4081705c90 /tests | |
| parent | cd598d41616189f33b35f69a5f7ba70c8112c272 (diff) | |
| download | qemu-5ba151f4dcca96d47896a5f77fa74ab5b6e9b06f.tar.gz | |
qcow2: Fix backing file name length check
len could become negative and would pass the check then. Nothing bad
happened because bdrv_pread() happens to return an error for negative
length values, but make variables for sizes unsigned anyway.
This patch also changes the behaviour to error out on invalid lengths
instead of silently truncating it to 1023.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 6d33e8e7dc9d40ea105feed4b39caa3e641569e8)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Diffstat (limited to 'tests')
| -rwxr-xr-x | tests/qemu-iotests/080 | 8 | ||||
| -rw-r--r-- | tests/qemu-iotests/080.out | 5 |
2 files changed, 13 insertions, 0 deletions
diff --git a/tests/qemu-iotests/080 b/tests/qemu-iotests/080 index 7255b6cca6..f3091a9377 100755 --- a/tests/qemu-iotests/080 +++ b/tests/qemu-iotests/080 @@ -45,6 +45,7 @@ _supported_os Linux header_size=104 offset_backing_file_offset=8 +offset_backing_file_size=16 offset_l1_size=36 offset_l1_table_offset=40 offset_refcount_table_offset=48 @@ -135,6 +136,13 @@ poke_file "$TEST_IMG" "$offset_l1_table_offset" "\x12\x34\x56\x78\x90\xab\xcd\xe poke_file "$TEST_IMG" "$offset_l1_size" "\x00\x00\x00\x01" { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir +echo +echo "== Invalid backing file size ==" +_make_test_img 64M +poke_file "$TEST_IMG" "$offset_backing_file_offset" "\x00\x00\x00\x00\x00\x00\x10\x00" +poke_file "$TEST_IMG" "$offset_backing_file_size" "\xff\xff\xff\xff" +{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir + # success, all done echo "*** done" rm -f $seq.full diff --git a/tests/qemu-iotests/080.out b/tests/qemu-iotests/080.out index 4ec2545051..8103211064 100644 --- a/tests/qemu-iotests/080.out +++ b/tests/qemu-iotests/080.out @@ -58,4 +58,9 @@ qemu-io: can't open device TEST_DIR/t.qcow2: Invalid L1 table offset no file open, try 'help open' qemu-io: can't open device TEST_DIR/t.qcow2: Invalid L1 table offset no file open, try 'help open' + +== Invalid backing file size == +Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 +qemu-io: can't open device TEST_DIR/t.qcow2: Backing file name too long +no file open, try 'help open' *** done |