virtio: net: fix integer overflow

Fix a potential integer overflow when computing the end of the
destination slice during a configuration write in
Net::write_config(). This bug leads to a panic when adding with
overflow or indexing the slice a few lines below, depending on the
build.

Fix this by using `usize::checked_add()` and `slice::get_mut()`.

Signed-off-by: Carlos López <[email protected]>

Author: 00xc

src/vmm/src/devices/virtio/net/device.rs

@@ -790,16 +790,19 @@ impl VirtioDevice for Net {
     }
 
     fn write_config(&mut self, offset: u64, data: &[u8]) {
-        let data_len = data.len() as u64;
         let config_space_bytes = self.config_space.as_mut_slice();
-        let config_len = config_space_bytes.len() as u64;
-        if offset + data_len > config_len {
+        let start = usize::try_from(offset).ok();
+        let end = start.and_then(|s| s.checked_add(data.len()));
+        let Some(dst) = start
+            .zip(end)
+            .and_then(|(start, end)| config_space_bytes.get_mut(start..end)) else
+        {
             error!("Failed to write config space");
             METRICS.net.cfg_fails.inc();
             return;
-        }
+        };
 
-        config_space_bytes[offset as usize..(offset + data_len) as usize].copy_from_slice(data);
+        dst.copy_from_slice(data);
         self.guest_mac = Some(self.config_space.guest_mac);
         METRICS.net.mac_address_updates.inc();
     }