|
 |
12f46f |
From ebad012fad51bd72c0618face6188086ee9c2be4 Mon Sep 17 00:00:00 2001
|
|
|
12f46f |
From: Xiao Wang <jasowang@redhat.com>
|
|
|
12f46f |
Date: Wed, 8 Aug 2018 06:01:52 +0200
|
|
|
12f46f |
Subject: [PATCH 3/3] slirp: Correct size check in m_inc()
|
|
|
12f46f |
|
|
|
12f46f |
RH-Author: Xiao Wang <jasowang@redhat.com>
|
|
|
12f46f |
Message-id: <1533708112-14286-4-git-send-email-jasowang@redhat.com>
|
|
|
12f46f |
Patchwork-id: 81672
|
|
|
12f46f |
O-Subject: [RHEL-7.5.z qemu-kvm-ma PATCH V2 3/3] slirp: Correct size check in m_inc()
|
|
|
12f46f |
Bugzilla: 1586247
|
|
|
12f46f |
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
|
|
12f46f |
RH-Acked-by: wexu@redhat.com
|
|
|
12f46f |
RH-Acked-by: Thomas Huth <thuth@redhat.com>
|
|
|
12f46f |
|
|
|
12f46f |
From: Peter Maydell <peter.maydell@linaro.org>
|
|
|
12f46f |
|
|
|
12f46f |
The data in an mbuf buffer is not necessarily at the start of the
|
|
|
12f46f |
allocated buffer. (For instance m_adj() allows data to be trimmed
|
|
|
12f46f |
from the start by just advancing the pointer and reducing the length.)
|
|
|
12f46f |
This means that the allocated buffer size (m->m_size) and the
|
|
|
12f46f |
amount of space from the m_data pointer to the end of the
|
|
|
12f46f |
buffer (M_ROOM(m)) are not necessarily the same.
|
|
|
12f46f |
|
|
|
12f46f |
Commit 864036e251f54c9 tried to change the m_inc() function from
|
|
|
12f46f |
taking the new allocated-buffer-size to taking the new room-size,
|
|
|
12f46f |
but forgot to change the initial "do we already have enough space"
|
|
|
12f46f |
check. This meant that if we were trying to extend a buffer which
|
|
|
12f46f |
had a leading gap between the buffer start and the data, we might
|
|
|
12f46f |
incorrectly decide it didn't need to be extended, and then
|
|
|
12f46f |
overrun the end of the buffer, causing memory corruption and
|
|
|
12f46f |
an eventual crash.
|
|
|
12f46f |
|
|
|
12f46f |
Change the "already big enough?" condition from checking the
|
|
|
12f46f |
argument against m->m_size to checking against M_ROOM().
|
|
|
12f46f |
This only makes a difference for the callsite in m_cat();
|
|
|
12f46f |
the other three callsites all start with a freshly allocated
|
|
|
12f46f |
mbuf from m_get(), which will have m->m_size == M_ROOM(m).
|
|
|
12f46f |
|
|
|
12f46f |
Fixes: 864036e251f54c9
|
|
|
12f46f |
Fixes: https://bugs.launchpad.net/qemu/+bug/1785670
|
|
|
12f46f |
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
|
|
12f46f |
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
|
12f46f |
Message-id: 20180807114501.12370-1-peter.maydell@linaro.org
|
|
|
12f46f |
Tested-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
|
|
12f46f |
(cherry picked from commit 09b94ac0f29db3b022a77a5aa50dc9e37032689d)
|
|
|
12f46f |
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
12f46f |
---
|
|
|
12f46f |
slirp/mbuf.c | 2 +-
|
|
|
12f46f |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
12f46f |
|
|
|
12f46f |
diff --git a/slirp/mbuf.c b/slirp/mbuf.c
|
|
|
12f46f |
index 0c189e1..1b78683 100644
|
|
|
12f46f |
--- a/slirp/mbuf.c
|
|
|
12f46f |
+++ b/slirp/mbuf.c
|
|
|
12f46f |
@@ -154,7 +154,7 @@ m_inc(struct mbuf *m, int size)
|
|
|
12f46f |
int datasize;
|
|
|
12f46f |
|
|
|
12f46f |
/* some compilers throw up on gotos. This one we can fake. */
|
|
|
12f46f |
- if (m->m_size > size) {
|
|
|
12f46f |
+ if (M_ROOM(m) > size) {
|
|
|
12f46f |
return;
|
|
|
12f46f |
}
|
|
|
12f46f |
|
|
|
12f46f |
--
|
|
|
12f46f |
1.8.3.1
|
|
|
12f46f |
|