From: Ian Campbell <ian.campbell@citrix.com>
To: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: Ross Lagerwall <ross.lagerwall@citrix.com>,
Ian Jackson <Ian.Jackson@eu.citrix.com>,
Wei Liu <wei.liu2@citrix.com>,
Xen-devel <xen-devel@lists.xen.org>
Subject: Re: [PATCH 3/6] tools/libxl: Allow adding larger amounts of prefixdata to datacopier
Date: Fri, 20 Feb 2015 10:32:52 +0000 [thread overview]
Message-ID: <1424428372.30924.174.camel@citrix.com> (raw)
In-Reply-To: <1424277263-27745-4-git-send-email-andrew.cooper3@citrix.com>
On Wed, 2015-02-18 at 16:34 +0000, Andrew Cooper wrote:
> From: Ross Lagerwall <ross.lagerwall@citrix.com>
>
> Previously, adding more than 1000 bytes of data would cause a segfault.
> Now, the maximum amount of data that can be added is limited by maxsz.
http://lists.xen.org/archives/html/xen-devel/2014-09/msg01806.html:
struct libxl__datacopier_buf contains a fixed size 1000 byte
statically allocated buffer so adding > 1000 bytes of data would
cause it to overrun the buffer and overwrite other memory.
http://lists.xen.org/archives/html/xen-devel/2014-09/msg01813.html
Yes, this should be the main point of the commit log though.
The commit log should mention that the current code overruns a static
1000 byte buffer and fixes it by allocating and chaining as many buffers
as are required for the amount of data.
>
> Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
> CC: Ian Campbell <Ian.Campbell@citrix.com>
> CC: Ian Jackson <Ian.Jackson@eu.citrix.com>
> CC: Wei Liu <wei.liu2@citrix.com>
> ---
> tools/libxl/libxl_aoutils.c | 14 +++++++++-----
> 1 file changed, 9 insertions(+), 5 deletions(-)
>
> diff --git a/tools/libxl/libxl_aoutils.c b/tools/libxl/libxl_aoutils.c
> index 3e0c0ae..6882ca3 100644
> --- a/tools/libxl/libxl_aoutils.c
> +++ b/tools/libxl/libxl_aoutils.c
> @@ -160,6 +160,8 @@ void libxl__datacopier_prefixdata(libxl__egc *egc, libxl__datacopier_state *dc,
> {
> EGC_GC;
> libxl__datacopier_buf *buf;
> + const uint8_t *ptr;
> +
> /*
> * It is safe for this to be called immediately after _start, as
> * is documented in the public comment. _start's caller must have
> @@ -170,12 +172,14 @@ void libxl__datacopier_prefixdata(libxl__egc *egc, libxl__datacopier_state *dc,
>
> assert(len < dc->maxsz - dc->used);
>
> - buf = libxl__zalloc(NOGC, sizeof(*buf));
> - buf->used = len;
> - memcpy(buf->buf, data, len);
> + for (ptr = data; len; len -= buf->used, ptr += buf->used) {
> + buf = libxl__malloc(NOGC, sizeof(*buf));
> + buf->used = min(len, sizeof(buf->buf));
> + memcpy(buf->buf, ptr, buf->used);
>
> - dc->used += len;
> - LIBXL_TAILQ_INSERT_TAIL(&dc->bufs, buf, entry);
> + dc->used += buf->used;
> + LIBXL_TAILQ_INSERT_TAIL(&dc->bufs, buf, entry);
> + }
> }
>
> static int datacopier_pollhup_handled(libxl__egc *egc,
next prev parent reply other threads:[~2015-02-20 10:32 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-18 16:34 [PATCH 0/6] tools/libxl: Improvements to libxl__datacopier Andrew Cooper
2015-02-18 16:34 ` [PATCH 1/6] tools/libxl: Introduce min and max macros Andrew Cooper
2015-02-20 10:24 ` Ian Campbell
2015-02-20 10:42 ` Frediano Ziglio
2015-02-20 11:08 ` Andrew Cooper
2015-02-18 16:34 ` [PATCH 2/6] tools/libxl: Update datacopier to support sending data only Andrew Cooper
2015-02-20 10:27 ` Ian Campbell
2015-02-20 11:10 ` Andrew Cooper
2015-02-20 11:13 ` Ian Campbell
2015-02-18 16:34 ` [PATCH 3/6] tools/libxl: Allow adding larger amounts of prefixdata to datacopier Andrew Cooper
2015-02-20 10:32 ` Ian Campbell [this message]
2015-02-18 16:34 ` [PATCH 4/6] tools/libxl: Allow limiting amount copied by datacopier Andrew Cooper
2015-02-20 10:33 ` Ian Campbell
2015-02-18 16:34 ` [PATCH 5/6] tools/libxl: Extend datacopier to support reading into a buffer Andrew Cooper
2015-02-20 10:34 ` Ian Campbell
2015-02-18 16:34 ` [PATCH 6/6] tools/libxl: Fix datacopier POLLHUP handling to not always be fatal Andrew Cooper
2015-02-20 10:43 ` Ian Campbell
2015-02-20 13:55 ` Andrew Cooper
2015-02-20 14:05 ` Ian Campbell
2015-03-03 18:10 ` Ian Jackson
2015-03-03 18:38 ` Andrew Cooper
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1424428372.30924.174.camel@citrix.com \
--to=ian.campbell@citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=ross.lagerwall@citrix.com \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.