Skip to content

Commit

Permalink
[viostor] add protection against IO out-of-bounds access
Browse files Browse the repository at this point in the history 
Signed-off-by:  Zhang JianMing <[email protected]>

for the problem description
please visit #829
  • Loading branch information
@zjmletang @YanVugenfirer
zjmletang authored and YanVugenfirer committed Nov 10, 2023
1 parent c165bd5 commit 67f64d0
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions viostor/virtio_stor.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1333,15 +1333,15 @@ VirtIoBuildIo(

lba = RhelGetLba(DeviceExtension, cdb);
blocks = (SRB_DATA_TRANSFER_LENGTH(Srb) + adaptExt->info.blk_size - 1) / adaptExt->info.blk_size;
if (lba > adaptExt->lastLBA) {
if (lba > adaptExt->lastLBA - 1) {
RhelDbgPrint(TRACE_LEVEL_ERROR, " SRB_STATUS_BAD_SRB_BLOCK_LENGTH lba = %llu lastLBA= %llu\n", lba, adaptExt->lastLBA);
CompleteRequestWithStatus(DeviceExtension, (PSRB_TYPE)Srb, SRB_STATUS_BAD_SRB_BLOCK_LENGTH);
return FALSE;
}
if ((lba + blocks) > adaptExt->lastLBA) {

This comment has been minimized.

Sign in to view

Copy link
@EnergyFaith

EnergyFaith Jan 31, 2024

Hi, is there any reason why 1336 changed the boundary but 1341? It seems that they have same problem.
blocks = (ULONG)(adaptExt->lastLBA + 1 - lba);
RhelDbgPrint(TRACE_LEVEL_ERROR, " lba = %llu lastLBA= %llu blocks = %lu\n", lba, adaptExt->lastLBA, blocks);
SRB_SET_DATA_TRANSFER_LENGTH(Srb, (blocks * adaptExt->info.blk_size));
RhelDbgPrint(TRACE_LEVEL_ERROR, " SRB_STATUS_BAD_SRB_BLOCK_LENGTH lba = %llu lastLBA= %llu blocks = %lu\n", lba, adaptExt->lastLBA, blocks);
CompleteRequestWithStatus(DeviceExtension, (PSRB_TYPE)Srb, SRB_STATUS_BAD_SRB_BLOCK_LENGTH);
return FALSE;
}

sgList = StorPortGetScatterGatherList(DeviceExtension, Srb);
Expand Down

0 comments on commit 67f64d0

Please sign in to comment.