qcow1: Check maximum cluster size

Huge values for header.cluster_bits cause unbounded allocations (e.g. for s->cluster_cache) and crash qemu this way. Less huge values may survive those allocations, but can cause integer overflows later on. The only cluster sizes that qemu can create are 4k (for standalone images) and 512 (for images with backing files), so we can limit it to 64k. Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Benoit Canet <benoit@irqsave.net>
author: Kevin Wolf <kwolf@redhat.com> 2014-05-07 17:30:30 +0200
committer: Kevin Wolf <kwolf@redhat.com> 2014-05-19 11:36:49 +0200
commit: 7159a45b2bf2dcb9f49f1e27d1d3d135a0247a2f (patch)
tree: 9f386b302d585c903fd61522e4e584021eadfcff /block/qcow.c
parent: ea54feff58efedc809641474b25a3130309678e7 (diff)
1 files changed, 8 insertions, 2 deletions
diff --git a/block/qcow.c b/block/qcow.c
index 3684794dee..e60df234c4 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -128,11 +128,17 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
         goto fail;
     }
 
-    if (header.size <= 1 || header.cluster_bits < 9) {
-        error_setg(errp, "invalid value in qcow header");
+    if (header.size <= 1) {
+        error_setg(errp, "Image size is too small (must be at least 2 bytes)");
         ret = -EINVAL;
         goto fail;
     }
+    if (header.cluster_bits < 9 || header.cluster_bits > 16) {
+        error_setg(errp, "Cluster size must be between 512 and 64k");
+        ret = -EINVAL;
+        goto fail;
+    }
+
     if (header.crypt_method > QCOW_CRYPT_AES) {
         error_setg(errp, "invalid encryption method in qcow header");
         ret = -EINVAL;
author	Kevin Wolf <kwolf@redhat.com>	2014-05-07 17:30:30 +0200
committer	Kevin Wolf <kwolf@redhat.com>	2014-05-19 11:36:49 +0200
commit	7159a45b2bf2dcb9f49f1e27d1d3d135a0247a2f (patch)
tree	9f386b302d585c903fd61522e4e584021eadfcff /block/qcow.c
parent	ea54feff58efedc809641474b25a3130309678e7 (diff)