virtio: block: fix integer overflow

When computing the end of the destination slice for a configuration
write in Block::write_config(), an addition might overflow. This will
immediately cause a panic in debug builds, and panic on slice
indexing a few lines below for release builds.

Fix this by using `usize::checked_add()` and `slice::get_mut()`.

Signed-off-by: Carlos López <[email protected]>

Author: 00xc

src/vmm/src/devices/virtio/block/device.rs

@@ -578,15 +578,18 @@ impl VirtioDevice for Block {
     }
 
     fn write_config(&mut self, offset: u64, data: &[u8]) {
-        let data_len = data.len() as u64;
-        let config_len = self.config_space.len() as u64;
-        if offset + data_len > config_len {
+        let start = usize::try_from(offset).ok();
+        let end = start.and_then(|s| s.checked_add(data.len()));
+        let Some(dst) = start
+            .zip(end)
+            .and_then(|(start, end)| self.config_space.get_mut(start..end)) else
+        {
             error!("Failed to write config space");
             METRICS.block.cfg_fails.inc();
             return;
-        }
+        };
 
-        self.config_space[offset as usize..(offset + data_len) as usize].copy_from_slice(data);
+        dst.copy_from_slice(data);
     }
 
     fn activate(&mut self, mem: GuestMemoryMmap) -> ActivateResult {