This issue was flagged by Coverity, although its analysis was
incorrect. This isn't actually a memory overrun / security issue, but
rather a functional correctness issue since POSIX allows reads and
writes to be partially completed, and in those cases qcow2_copy_data()
could result in a corrutped qcow2 file.
Addresses-Coverity-Bug: 1531830
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
static int qcow2_copy_data(int fdin, int fdout, __u64 off_in,
__u64 off_out, void *buf, size_t count)
{
static int qcow2_copy_data(int fdin, int fdout, __u64 off_in,
__u64 off_out, void *buf, size_t count)
{
+ ssize_t c1, c2, c;
+ void *ptr;
+ int retries = 10;
if (ext2fs_llseek(fdin, off_in, SEEK_SET) < 0)
return errno;
if (ext2fs_llseek(fdin, off_in, SEEK_SET) < 0)
return errno;
- size = read(fdin, buf, count);
- if (size != count)
- return errno;
-
- size = write(fdout, buf, count);
- if (size != count)
- return errno;
-
+ while (count > 0) {
+ errno = 0;
+ c1 = read(fdin, buf, count);
+ if (c1 < 0 || ((c1 == 0) && errno))
+ return errno;
+ if (c1 == 0)
+ break; /* EOF */
+
+ for (ptr = buf, c = c1; c > 0; ptr += c2, c -= c2) {
+ errno = 0;
+ c2 = write(fdout, ptr, c1);
+ if (c2 < 0 || ((c2 == 0) && errno))
+ return errno;
+ if (c2 == 0 && --retries <= 0)
+ break; /* This should never happen... */
+ }
+ count -= c1;
+ }