[Devel] [PATCH VZ9 7/7] drivers/vhost/blk: ensure total request size

Andrey Zhadchenko andrey.zhadchenko at virtuozzo.com
Mon Jun 15 13:45:36 MSK 2026


before caluclating payload letght, otherwise size->len can
underflow.

https://virtuozzo.atlassian.net/browse/VSTOR-134034
Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
---
 drivers/vhost/blk.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/vhost/blk.c b/drivers/vhost/blk.c
index 54df32be14953..619b5f4a8fec7 100644
--- a/drivers/vhost/blk.c
+++ b/drivers/vhost/blk.c
@@ -458,6 +458,9 @@ static int vhost_blk_req_handle(struct vhost_virtqueue *vq,
 	req->iov	= blk_vq->iov;
 	req->bio_err	= 0;
 
+	if (iov_length(vq->iov, total_iov_nr) < sizeof(status))
+		return -EINVAL;
+
 	req->len	= iov_length(vq->iov, total_iov_nr) - sizeof(status);
 	req->iov_nr	= move_iovec(vq->iov, req->iov, req->len, total_iov_nr,
 				     ARRAY_SIZE(blk_vq->iov));
-- 
2.43.5



More information about the Devel mailing list