Improve the tests for the LBA to cover more cases.
For the 16 byte opcodes, the lba is a uint64, so we need to check is to
make sure that we do not wrap. For example if an opcode would specify
the LBA:0xffffffffffffffff and LEN:2 then lba+len would wrap to 1.
Also verify that ALL requested blocks are available, not just the first one.
Signed-off-by: Ronnie Sahlberg <ronniesahlberg@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
if (r->req.cmd.buf[1] & 0xe0) {
goto illegal_request;
}
- if (r->req.cmd.lba > s->qdev.max_lba) {
+ if (r->req.cmd.lba > r->req.cmd.lba + len ||
+ r->req.cmd.lba + len - 1 > s->qdev.max_lba) {
goto illegal_lba;
}
r->sector = r->req.cmd.lba * (s->qdev.blocksize / 512);
if (r->req.cmd.buf[1] & 0xe0) {
goto illegal_request;
}
- if (r->req.cmd.lba > s->qdev.max_lba) {
+ if (r->req.cmd.lba > r->req.cmd.lba + len ||
+ r->req.cmd.lba + len - 1 > s->qdev.max_lba) {
goto illegal_lba;
}
r->sector = r->req.cmd.lba * (s->qdev.blocksize / 512);