aboutsummaryrefslogtreecommitdiffstats
path: root/tools/libxc/xc_dom_core.c
diff options
context:
space:
mode:
authorKeir Fraser <keir.fraser@citrix.com>2010-02-03 09:45:40 +0000
committerKeir Fraser <keir.fraser@citrix.com>2010-02-03 09:45:40 +0000
commit91e172bf6bc82d0f26564d545ef181d0d18ae1af (patch)
treec04d31f8633340a0d2130cf0cf7e9e13d299bd5a /tools/libxc/xc_dom_core.c
parentada9d8c9f20850fb8730b60c04942cddf746a45f (diff)
downloadxen-91e172bf6bc82d0f26564d545ef181d0d18ae1af.tar.gz
xen-91e172bf6bc82d0f26564d545ef181d0d18ae1af.tar.bz2
xen-91e172bf6bc82d0f26564d545ef181d0d18ae1af.zip
libxc: Check full range of pfns for xc_dom_pfn_to_ptr
Previously, passing a valid pfn but an overly large count to xc_dom_pfn_to_ptr, and functions which call it, would run off the end of the pfn array giving undefined behaviour. It is tempting to change this check to an assert, as no callers should be providing invalid parameters here. But this is probably best not done while frozen for 4.0. Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Diffstat (limited to 'tools/libxc/xc_dom_core.c')
-rw-r--r--tools/libxc/xc_dom_core.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/tools/libxc/xc_dom_core.c b/tools/libxc/xc_dom_core.c
index b1e90d8d6e..23c655efb3 100644
--- a/tools/libxc/xc_dom_core.c
+++ b/tools/libxc/xc_dom_core.c
@@ -288,7 +288,9 @@ void *xc_dom_pfn_to_ptr(struct xc_dom_image *dom, xen_pfn_t pfn,
unsigned int page_shift = XC_DOM_PAGE_SHIFT(dom);
char *mode = "unset";
- if ( pfn > dom->total_pages )
+ if ( pfn > dom->total_pages || /* multiple checks to avoid overflows */
+ count > dom->total_pages ||
+ pfn > dom->total_pages - count )
{
xc_dom_printf("%s: pfn out of range (0x%" PRIpfn " > 0x%" PRIpfn ")\n",
__FUNCTION__, pfn, dom->total_pages);