From: Juergen Keil <jk@tools.de>
To: Fabrice Bellard <fabrice@bellard.org>, qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH] Fix for a malloc heap corruption problem in the slirp network code
Date: Mon, 6 Jun 2005 11:06:26 +0200 (CEST) [thread overview]
Message-ID: <200506060906.j5696Q6f012427@imap3.tools.intra> (raw)
> Fabrice Bellard wrote
>
> Juergen Keil wrote:
> > Compiling inside a NetBSD 1.5 qemu guest OS (source files are located
> > on an NFS filesystem mounted from the Solaris host OS) crashes qemu
> > with a malloc heap corruption error, when the slirp user mode
> > networking code is in use.
> > [...]
>
> > Using the "electric fence" memory allocator, the location of the data
> > corruption can be narrowed down to the destination address in the memcpy
> > call in slirp/mbuf.c, function m_cat():
> >
> > void
> > m_cat(m, n)
> > register struct mbuf *m, *n;
> > {
> > /*
> > * If there's no room, realloc
> > */
> > if (M_FREEROOM(m) < n->m_len)
> > m_inc(m,m->m_size+MINCSIZE);
>
> First this code is incorrect : it increases the size by MINCSIZE which
> can be smaller than the required size.
Yep.
The m_cat() code might work in the slirp environment because its only
use is to reassemble ip fragments, which have a max size (~1500 bytes) that
is always smaller than MINCSIZE (4096).
To make the code more robust, it won't hurt to make sure the size of the
free room on the "m" mbuf is at least "n->m_len" after the call to m_inc(),
for all sizes of "n->m_len".
next reply other threads:[~2005-06-06 9:22 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-06-06 9:06 Juergen Keil [this message]
-- strict thread matches above, loose matches on Subject: below --
2005-05-17 8:04 [Qemu-devel] [PATCH] Fix for a malloc heap corruption problem in the slirp network code Juergen Keil
2005-06-05 17:23 ` Fabrice Bellard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200506060906.j5696Q6f012427@imap3.tools.intra \
--to=jk@tools.de \
--cc=fabrice@bellard.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).