Re: [Qemu-devel] [PATCH] Fix for a malloc heap corruption problem in the slirp network code

[Fabrice Bellard <fabrice@bellard.org>]

Juergen Keil wrote:
> Compiling inside a NetBSD 1.5 qemu guest OS (source files are located
> on an NFS filesystem mounted from the Solaris host OS) crashes qemu
> with a malloc heap corruption error, when the slirp user mode
> networking code is in use.
> [...]

> Using the "electric fence" memory allocator, the location of the data
> corruption can be narrowed down to the destination address in the memcpy
> call in slirp/mbuf.c, function m_cat():
> 
>     void
>     m_cat(m, n)
> 	register struct mbuf *m, *n;
>     {
> 	/*
> 	 * If there's no room, realloc
> 	 */
> 	if (M_FREEROOM(m) < n->m_len)
> 		m_inc(m,m->m_size+MINCSIZE);

First this code is incorrect : it increases the size by MINCSIZE which 
can be smaller than the required size.

> 	
> 	memcpy(m->m_data+m->m_len, n->m_data, n->m_len);  <<<< this memcpy 
> 							  corrupts the malloc
> 							  heap
>         ....
>     }
> 
> 
> The problem is apparently in m_inc(), when an mbuf with an external
> data buffer is resized.  After resizing the mbuf, the m_data member
> still points into the old buffer, before is was reallocated.  For some
> reason, the code to re-adjust the m_data pointer is present in the M_EXT
> case in m_inc(), but is commented out. (With a bit of luck, realloc
> might be able to adjust the size of the memory block in place; but
> slirp shouldn't rely on this)
> 
> Fix: Adjust mbuf->m_data after a realloc of the external data buffer

OK. Does someone knows why this code was suppressed ?

Fabrice.