[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] x86/hvm: Correct hvm_ioreq_server_alloc_rangesets() failure path



>>> On 04.06.14 at 13:00, <andrew.cooper3@xxxxxxxxxx> wrote:
> Coverity-ID: 1220092 "Unsigned compare against 0"
> Coverity-ID: 1220093 "Out-of-bounds read"
> 
> Both of these are cased by the the while() loop in the fail path, which
> results in an infinite loop and memory corruption from rangeset_destroy().
> 
> Move hvm_ioreq_server_free_rangesets() up and use it for cleanup on the
> failure path.
> 
> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Since you and Paul appear to agree to fix it that way, it'll go in as is,
but ...

> @@ -861,24 +873,11 @@ static int hvm_ioreq_server_alloc_rangesets(struct 
> hvm_ioreq_server *s,
>      return 0;
>  
>   fail:
> -    while ( --i >= 0 )

... the one line equivalent fix would have been to use while ( i-- ).

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.