diff options
author | Keir Fraser <keir.fraser@citrix.com> | 2010-02-03 09:45:40 +0000 |
---|---|---|
committer | Keir Fraser <keir.fraser@citrix.com> | 2010-02-03 09:45:40 +0000 |
commit | 91e172bf6bc82d0f26564d545ef181d0d18ae1af (patch) | |
tree | c04d31f8633340a0d2130cf0cf7e9e13d299bd5a /tools/libxc/xc_dom_core.c | |
parent | ada9d8c9f20850fb8730b60c04942cddf746a45f (diff) | |
download | xen-91e172bf6bc82d0f26564d545ef181d0d18ae1af.tar.gz xen-91e172bf6bc82d0f26564d545ef181d0d18ae1af.tar.bz2 xen-91e172bf6bc82d0f26564d545ef181d0d18ae1af.zip |
libxc: Check full range of pfns for xc_dom_pfn_to_ptr
Previously, passing a valid pfn but an overly large count to
xc_dom_pfn_to_ptr, and functions which call it, would run off the end
of the pfn array giving undefined behaviour.
It is tempting to change this check to an assert, as no callers should
be providing invalid parameters here. But this is probably best not
done while frozen for 4.0.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Diffstat (limited to 'tools/libxc/xc_dom_core.c')
-rw-r--r-- | tools/libxc/xc_dom_core.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/tools/libxc/xc_dom_core.c b/tools/libxc/xc_dom_core.c index b1e90d8d6e..23c655efb3 100644 --- a/tools/libxc/xc_dom_core.c +++ b/tools/libxc/xc_dom_core.c @@ -288,7 +288,9 @@ void *xc_dom_pfn_to_ptr(struct xc_dom_image *dom, xen_pfn_t pfn, unsigned int page_shift = XC_DOM_PAGE_SHIFT(dom); char *mode = "unset"; - if ( pfn > dom->total_pages ) + if ( pfn > dom->total_pages || /* multiple checks to avoid overflows */ + count > dom->total_pages || + pfn > dom->total_pages - count ) { xc_dom_printf("%s: pfn out of range (0x%" PRIpfn " > 0x%" PRIpfn ")\n", __FUNCTION__, pfn, dom->total_pages); |