From 69dd3f5be00b5232e45bbfb92ba50c97b084767a Mon Sep 17 00:00:00 2001
Message-Id: <69dd3f5be00b5232e45bbfb92ba50c97b084767a.1382534061.git.jdenemar@redhat.com>
From: Osier Yang <jyang@redhat.com>
Date: Wed, 16 Oct 2013 23:12:57 +0800
Subject: [PATCH] rpc: Correct the wrong payload size checking

https://bugzilla.redhat.com/show_bug.cgi?id=950416

<...>
/* Size of message length field. Not counted in VIR_NET_MESSAGE_MAX
 * and VIR_NET_MESSAGE_INITIAL.
 */
const VIR_NET_MESSAGE_LEN_MAX = 4;
</...>

However, msg->bufferLength includes the length word. The wrong checking
was introduced by commit e914dcfd.

* src/rpc/virnetmessage.c:
  - Correct the checking in virNetMessageEncodePayloadRaw
  - Use a new variable to track the new payload length in
    virNetMessageEncodePayloadRaw
(cherry picked from commit 0959785d3b4a4da3c24352942ca4d2152f4e0191)

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
---
 src/rpc/virnetmessage.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/src/rpc/virnetmessage.c b/src/rpc/virnetmessage.c
index 8f4e4bc..d60366b 100644
--- a/src/rpc/virnetmessage.c
+++ b/src/rpc/virnetmessage.c
@@ -346,15 +346,16 @@ int virNetMessageEncodePayload(virNetMessagePtr msg,
 
     /* Try to encode the payload. If the buffer is too small increase it. */
     while (!(*filter)(&xdr, data)) {
-        if ((msg->bufferLength - VIR_NET_MESSAGE_LEN_MAX) * 4 > VIR_NET_MESSAGE_MAX) {
+        unsigned int newlen = (msg->bufferLength - VIR_NET_MESSAGE_LEN_MAX) * 4;
+
+        if (newlen > VIR_NET_MESSAGE_MAX) {
             virReportError(VIR_ERR_RPC, "%s", _("Unable to encode message payload"));
             goto error;
         }
 
         xdr_destroy(&xdr);
 
-        msg->bufferLength = (msg->bufferLength - VIR_NET_MESSAGE_LEN_MAX) * 4 +
-            VIR_NET_MESSAGE_LEN_MAX;
+        msg->bufferLength = newlen + VIR_NET_MESSAGE_LEN_MAX;
 
         if (VIR_REALLOC_N(msg->buffer, msg->bufferLength) < 0)
             goto error;
@@ -426,10 +427,15 @@ int virNetMessageEncodePayloadRaw(virNetMessagePtr msg,
 
     /* If the message buffer is too small for the payload increase it accordingly. */
     if ((msg->bufferLength - msg->bufferOffset) < len) {
-        if ((msg->bufferOffset + len) > VIR_NET_MESSAGE_MAX) {
+        if ((msg->bufferOffset + len) >
+            (VIR_NET_MESSAGE_MAX + VIR_NET_MESSAGE_LEN_MAX)) {
             virReportError(VIR_ERR_RPC,
-                           _("Stream data too long to send (%zu bytes needed, %zu bytes available)"),
-                           len, (VIR_NET_MESSAGE_MAX - msg->bufferOffset));
+                           _("Stream data too long to send "
+                             "(%zu bytes needed, %zu bytes available)"),
+                           len,
+                           VIR_NET_MESSAGE_MAX +
+                           VIR_NET_MESSAGE_LEN_MAX -
+                           msg->bufferOffset);
             return -1;
         }
 
-- 
1.8.4