On Fri, 22 Nov 2019 00:54:20 +0000, Haiyang Zhang wrote:
> > >
> > > - tab = (u32 *)((unsigned long)&nvmsg->msg.v5_msg.send_table +
> > > - nvmsg->msg.v5_msg.send_table.offset);
> > > + if (offset > msglen - count * sizeof(u32)) {
> >
> > Can't this underflow now? What if msglen is small?
> msglen came from the vmbus container message. We trust it to be big
> enough for the data region.
Ok, it looked like it was read from some descriptor which could
potentially be controlled by "the other side" but I trust your
judgement :)
Both patches LGTM, then.
