From nobody Tue Nov 11 22:50:37 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1566241327; cv=none; d=zoho.com; s=zohoarc; b=G3Pq83GFXNnySlNF7VheHioobSB8kMNbwL6JcFEHuFYnalBD+I4gmpmSmB+oFqf8tRNTSufJQPjYIMIAfcqQFOpiQHbfAODl0dXs2r2IKOefaa+0OBbyPAYGl2UmvrQRXQUpHiRoXCk1sLfO8NaZL85vJlStiasHdb1kM7f168c= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1566241327; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=3UKM1tPqJ2FQqx9jmCujH5+GQ7xzYH926ZCuacPB0j0=; b=T22VzDaWMrQevaDFPlRoLj2mGCW+ge+Wlxjdl2m9EO9Aq4kYcL3wywemkkdf2D2VMAA0+bggJMl8N2wM8Gkgmq7ZTi7hp3MRKjA0Pjj6rav0raPTa2fUsvvYajKqahabSlVXL1KFoI/hPAhCA3aq4Cm55DwOFHGCClEEuvY6+UQ= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1566241327466330.4303393576771; Mon, 19 Aug 2019 12:02:07 -0700 (PDT) Received: from localhost ([::1]:56618 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1hzmur-0008N5-HI for importer@patchew.org; Mon, 19 Aug 2019 15:02:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:32829) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1hzmpg-0002JV-5q for qemu-devel@nongnu.org; Mon, 19 Aug 2019 14:56:45 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hzmpf-0002Bg-4X for qemu-devel@nongnu.org; Mon, 19 Aug 2019 14:56:44 -0400 Received: from mx1.redhat.com ([209.132.183.28]:56816) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hzmpc-00029i-Ni; Mon, 19 Aug 2019 14:56:40 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id F3D16A38184; Mon, 19 Aug 2019 18:56:39 +0000 (UTC) Received: from localhost (ovpn-204-64.brq.redhat.com [10.40.204.64]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 897B111766B; Mon, 19 Aug 2019 18:56:39 +0000 (UTC) From: Max Reitz To: qemu-block@nongnu.org Date: Mon, 19 Aug 2019 20:55:57 +0200 Message-Id: <20190819185602.4267-12-mreitz@redhat.com> In-Reply-To: <20190819185602.4267-1-mreitz@redhat.com> References: <20190819185602.4267-1-mreitz@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (mx1.redhat.com [10.5.110.68]); Mon, 19 Aug 2019 18:56:40 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH v2 11/16] qcow2: Keep track of the snapshot table length X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , qemu-devel@nongnu.org, Max Reitz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" When repairing the snapshot table, we truncate entries that have too much extra data. This frees up space that we do not have to count towards the snapshot table size. Signed-off-by: Max Reitz Reviewed-by: Eric Blake --- block/qcow2-snapshot.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/block/qcow2-snapshot.c b/block/qcow2-snapshot.c index 53dc1635ec..582eb3386a 100644 --- a/block/qcow2-snapshot.c +++ b/block/qcow2-snapshot.c @@ -68,6 +68,7 @@ static int qcow2_do_read_snapshots(BlockDriverState *bs, = bool repair, QCowSnapshot *sn; int i, id_str_size, name_size; int64_t offset; + uint64_t table_length =3D 0; int ret; =20 if (!s->nb_snapshots) { @@ -82,6 +83,8 @@ static int qcow2_do_read_snapshots(BlockDriverState *bs, = bool repair, for(i =3D 0; i < s->nb_snapshots; i++) { bool truncate_unknown_extra_data =3D false; =20 + table_length =3D ROUND_UP(table_length, 8); + /* Read statically sized part of the snapshot header */ offset =3D ROUND_UP(offset, 8); ret =3D bdrv_pread(bs->file, offset, &h, sizeof(h)); @@ -184,7 +187,16 @@ static int qcow2_do_read_snapshots(BlockDriverState *b= s, bool repair, offset +=3D name_size; sn->name[name_size] =3D '\0'; =20 - if (offset - s->snapshots_offset > QCOW_MAX_SNAPSHOTS_SIZE) { + /* Note that the extra data may have been truncated */ + table_length +=3D sizeof(h) + sn->extra_data_size + id_str_size + + name_size; + if (!repair) { + assert(table_length =3D=3D offset - s->snapshots_offset); + } + + if (table_length > QCOW_MAX_SNAPSHOTS_SIZE || + offset - s->snapshots_offset > INT_MAX) + { ret =3D -EFBIG; error_setg(errp, "Snapshot table is too big"); goto fail; --=20 2.21.0