|
|
9ae3a8 |
From a2aad899158f118fd8ab16531385b9fc2b48ba14 Mon Sep 17 00:00:00 2001
|
|
|
9ae3a8 |
Message-Id: <a2aad899158f118fd8ab16531385b9fc2b48ba14.1387382496.git.minovotn@redhat.com>
|
|
|
9ae3a8 |
In-Reply-To: <c5386144fbf09f628148101bc674e2421cdd16e3.1387382496.git.minovotn@redhat.com>
|
|
|
9ae3a8 |
References: <c5386144fbf09f628148101bc674e2421cdd16e3.1387382496.git.minovotn@redhat.com>
|
|
|
9ae3a8 |
From: Nigel Croxon <ncroxon@redhat.com>
|
|
|
9ae3a8 |
Date: Thu, 14 Nov 2013 22:53:03 +0100
|
|
|
9ae3a8 |
Subject: [PATCH 27/46] rdma: use resp.len after validation in
|
|
|
9ae3a8 |
qemu_rdma_registration_stop
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
RH-Author: Nigel Croxon <ncroxon@redhat.com>
|
|
|
9ae3a8 |
Message-id: <1384469598-13137-28-git-send-email-ncroxon@redhat.com>
|
|
|
9ae3a8 |
Patchwork-id: 55716
|
|
|
9ae3a8 |
O-Subject: [RHEL7.0 PATCH 27/42] rdma: use resp.len after validation in qemu_rdma_registration_stop
|
|
|
9ae3a8 |
Bugzilla: 1011720
|
|
|
9ae3a8 |
RH-Acked-by: Orit Wasserman <owasserm@redhat.com>
|
|
|
9ae3a8 |
RH-Acked-by: Amit Shah <amit.shah@redhat.com>
|
|
|
9ae3a8 |
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
Bugzilla: 1011720
|
|
|
9ae3a8 |
https://bugzilla.redhat.com/show_bug.cgi?id=1011720
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
>From commit ID:
|
|
|
9ae3a8 |
commit 885e8f984ea846e79a39ddc4f066f4dd3d04b264
|
|
|
9ae3a8 |
Author: Isaku Yamahata <yamahata@private.email.ne.jp>
|
|
|
9ae3a8 |
Date: Fri Aug 9 16:05:40 2013 -0400
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
rdma: use resp.len after validation in qemu_rdma_registration_stop
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
resp.len is given from remote host. So should be validated before use.
|
|
|
9ae3a8 |
Otherwise memcpy can access beyond the buffer.
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
Cc: Michael R. Hines <mrhines@us.ibm.com>
|
|
|
9ae3a8 |
Reviewed-by: Orit Wasserman <owasserm@redhat.com>
|
|
|
9ae3a8 |
Reviewed-by: Michael R. Hines <mrhines@us.ibm.com>
|
|
|
9ae3a8 |
Signed-off-by: Isaku Yamahata <yamahata@private.email.ne.jp>
|
|
|
9ae3a8 |
Signed-off-by: Michael R. Hines <mrhines@us.ibm.com>
|
|
|
9ae3a8 |
Message-id: 1376078746-24948-2-git-send-email-mrhines@linux.vnet.ibm.com
|
|
|
9ae3a8 |
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
|
|
|
9ae3a8 |
---
|
|
|
9ae3a8 |
migration-rdma.c | 7 +++----
|
|
|
9ae3a8 |
1 files changed, 3 insertions(+), 4 deletions(-)
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
Signed-off-by: Michal Novotny <minovotn@redhat.com>
|
|
|
9ae3a8 |
---
|
|
|
9ae3a8 |
migration-rdma.c | 7 +++----
|
|
|
9ae3a8 |
1 file changed, 3 insertions(+), 4 deletions(-)
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
diff --git a/migration-rdma.c b/migration-rdma.c
|
|
|
9ae3a8 |
index ff0a823..1412cde 100644
|
|
|
9ae3a8 |
--- a/migration-rdma.c
|
|
|
9ae3a8 |
+++ b/migration-rdma.c
|
|
|
9ae3a8 |
@@ -3045,10 +3045,6 @@ static int qemu_rdma_registration_stop(QEMUFile *f, void *opaque,
|
|
|
9ae3a8 |
return ret;
|
|
|
9ae3a8 |
}
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
- qemu_rdma_move_header(rdma, reg_result_idx, &resp);
|
|
|
9ae3a8 |
- memcpy(rdma->block,
|
|
|
9ae3a8 |
- rdma->wr_data[reg_result_idx].control_curr, resp.len);
|
|
|
9ae3a8 |
-
|
|
|
9ae3a8 |
nb_remote_blocks = resp.len / sizeof(RDMARemoteBlock);
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
/*
|
|
|
9ae3a8 |
@@ -3070,6 +3066,9 @@ static int qemu_rdma_registration_stop(QEMUFile *f, void *opaque,
|
|
|
9ae3a8 |
return -EINVAL;
|
|
|
9ae3a8 |
}
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
+ qemu_rdma_move_header(rdma, reg_result_idx, &resp);
|
|
|
9ae3a8 |
+ memcpy(rdma->block,
|
|
|
9ae3a8 |
+ rdma->wr_data[reg_result_idx].control_curr, resp.len);
|
|
|
9ae3a8 |
for (i = 0; i < nb_remote_blocks; i++) {
|
|
|
9ae3a8 |
network_to_remote_block(&rdma->block[i]);
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
--
|
|
|
9ae3a8 |
1.7.11.7
|
|
|
9ae3a8 |
|