get_slices: panic if GuestMemoryRegion violates contract

roypat · roypat · commit 7c28b6cd9f8b · 2025-10-01T11:22:40.000-04:00
Panic in get_slices() if the call to .get_slice() returns a slice that
does not match the `len` parameter passed to it. If this happens there
is an application bug somewhere in the GuestMemoryRegion implementation,
and the library code in vm-memory, while not doing anything unsound,
will probably react unpredictably to this situation.

This way, the final paragraph in the get_slices() documentatoin about
cumulative lengths is actually true.

Signed-off-by: Patrick Roy &lt;roypat@amazon.co.uk&gt;
diff --git a/src/guest_memory.rs b/src/guest_memory.rs
@@ -525,7 +525,13 @@ impl<'a, M: GuestMemory + ?Sized> GuestMemorySliceIterator<'a, M> {
             (_, true) => return Some(Err(Error::GuestAddressOverflow)),
         };
 
-        Some(region.get_slice(start, len))
+        Some(region.get_slice(start, len).inspect(|s| {
+            assert_eq!(
+                s.len(),
+                len,
+                "get_slice() returned a slice with wrong length"
+            )
+        }))
     }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -525,7 +525,13 @@ impl<'a, M: GuestMemory + ?Sized> GuestMemorySliceIterator<'a, M> {`
`525`	`525`	`(_, true) => return Some(Err(Error::GuestAddressOverflow)),`
`526`	`526`	`};`
`527`	`527`
`528`		`- Some(region.get_slice(start, len))`
	`528`	`+ Some(region.get_slice(start, len).inspect(\|s\| {`
	`529`	`+ assert_eq!(`
	`530`	`+ s.len(),`
	`531`	`+ len,`
	`532`	`+ "get_slice() returned a slice with wrong length"`
	`533`	`+ )`
	`534`	`+ }))`
`529`	`535`	`}`
`530`	`536`	`}`
`531`	`537`