On 06/01/19 at 11:42pm, Christopher Clark wrote:
+memcpy_to_guest_ring(struct argo_ring_info *ring_info, uint32_t offset,
+ const void *src, XEN_GUEST_HANDLE(uint8_t) src_hnd,
+ uint32_t len)
+{
+ unsigned int mfns_index = offset >> PAGE_SHIFT;
+ void *dst;
+ int ret;
+ unsigned int src_offset = 0;
+
+ ASSERT(spin_is_locked(&ring_info->lock));
+
+ offset &= ~PAGE_MASK;
+
+ if ( (len > XEN_ARGO_MAX_RING_SIZE) || (offset > XEN_ARGO_MAX_RING_SIZE) )
+ return -EFAULT;
With offset < PAGE_SIZE with the previous mask, shouldn't the sanity
check be:
if (len + offset > XEN_ARGO_MAX_RING_SIZE)
--
Eric Chanudet
_______________________________________________
Xen-devel mailing list
[email protected]
https://lists.xenproject.org/mailman/listinfo/xen-devel
