|
 |
383d26 |
From 44dfd8eea4b562e77587cdd1b2ae6b6decc870f9 Mon Sep 17 00:00:00 2001
|
|
|
383d26 |
From: Xiao Wang <jasowang@redhat.com>
|
|
|
383d26 |
Date: Wed, 8 Aug 2018 07:52:57 +0200
|
|
|
383d26 |
Subject: [PATCH 2/5] slirp: Correct size check in m_inc()
|
|
|
383d26 |
|
|
|
383d26 |
RH-Author: Xiao Wang <jasowang@redhat.com>
|
|
|
383d26 |
Message-id: <1533714777-24827-3-git-send-email-jasowang@redhat.com>
|
|
|
383d26 |
Patchwork-id: 81674
|
|
|
383d26 |
O-Subject: [RHEL-7.6/7.5z qemu-kvm-rhev 2/2] slirp: Correct size check in m_inc()
|
|
|
383d26 |
Bugzilla: 1586255
|
|
|
383d26 |
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
|
|
383d26 |
RH-Acked-by: wexu@redhat.com
|
|
|
383d26 |
RH-Acked-by: Thomas Huth <thuth@redhat.com>
|
|
|
383d26 |
|
|
|
383d26 |
From: Peter Maydell <peter.maydell@linaro.org>
|
|
|
383d26 |
|
|
|
383d26 |
The data in an mbuf buffer is not necessarily at the start of the
|
|
|
383d26 |
allocated buffer. (For instance m_adj() allows data to be trimmed
|
|
|
383d26 |
from the start by just advancing the pointer and reducing the length.)
|
|
|
383d26 |
This means that the allocated buffer size (m->m_size) and the
|
|
|
383d26 |
amount of space from the m_data pointer to the end of the
|
|
|
383d26 |
buffer (M_ROOM(m)) are not necessarily the same.
|
|
|
383d26 |
|
|
|
383d26 |
Commit 864036e251f54c9 tried to change the m_inc() function from
|
|
|
383d26 |
taking the new allocated-buffer-size to taking the new room-size,
|
|
|
383d26 |
but forgot to change the initial "do we already have enough space"
|
|
|
383d26 |
check. This meant that if we were trying to extend a buffer which
|
|
|
383d26 |
had a leading gap between the buffer start and the data, we might
|
|
|
383d26 |
incorrectly decide it didn't need to be extended, and then
|
|
|
383d26 |
overrun the end of the buffer, causing memory corruption and
|
|
|
383d26 |
an eventual crash.
|
|
|
383d26 |
|
|
|
383d26 |
Change the "already big enough?" condition from checking the
|
|
|
383d26 |
argument against m->m_size to checking against M_ROOM().
|
|
|
383d26 |
This only makes a difference for the callsite in m_cat();
|
|
|
383d26 |
the other three callsites all start with a freshly allocated
|
|
|
383d26 |
mbuf from m_get(), which will have m->m_size == M_ROOM(m).
|
|
|
383d26 |
|
|
|
383d26 |
Fixes: 864036e251f54c9
|
|
|
383d26 |
Fixes: https://bugs.launchpad.net/qemu/+bug/1785670
|
|
|
383d26 |
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
|
|
383d26 |
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
|
383d26 |
Message-id: 20180807114501.12370-1-peter.maydell@linaro.org
|
|
|
383d26 |
Tested-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
|
|
383d26 |
(cherry picked from commit 09b94ac0f29db3b022a77a5aa50dc9e37032689d)
|
|
|
383d26 |
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
383d26 |
---
|
|
|
383d26 |
slirp/mbuf.c | 2 +-
|
|
|
383d26 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
383d26 |
|
|
|
383d26 |
diff --git a/slirp/mbuf.c b/slirp/mbuf.c
|
|
|
383d26 |
index 0c189e1..1b78683 100644
|
|
|
383d26 |
--- a/slirp/mbuf.c
|
|
|
383d26 |
+++ b/slirp/mbuf.c
|
|
|
383d26 |
@@ -154,7 +154,7 @@ m_inc(struct mbuf *m, int size)
|
|
|
383d26 |
int datasize;
|
|
|
383d26 |
|
|
|
383d26 |
/* some compilers throw up on gotos. This one we can fake. */
|
|
|
383d26 |
- if (m->m_size > size) {
|
|
|
383d26 |
+ if (M_ROOM(m) > size) {
|
|
|
383d26 |
return;
|
|
|
383d26 |
}
|
|
|
383d26 |
|
|
|
383d26 |
--
|
|
|
383d26 |
1.8.3.1
|
|
|
383d26 |
|