* [Qemu-devel] [PATCH v1 1/2] slirp: correct size computation while concatenating mbuf
2018-06-06 10:35 [Qemu-devel] [PATCH v1 0/2] correct size computation in m_cat P J P
@ 2018-06-06 10:35 ` P J P
2018-06-06 10:35 ` [Qemu-devel] [PATCH v1 2/2] slirp: reformat m_cat routine P J P
1 sibling, 0 replies; 3+ messages in thread
From: P J P @ 2018-06-06 10:35 UTC (permalink / raw)
To: Qemu Developers; +Cc: Samuel Thibault, Jan Kiszka, Prasad J Pandit
From: Prasad J Pandit <pjp@fedoraproject.org>
While reassembling incoming fragmented datagrams, 'm_cat' routine
extends the 'mbuf' buffer, if it has insufficient room. It computes
a wrong buffer size, which leads to overwriting adjacent heap buffer
area. Correct this size computation in m_cat.
Reported-by: ZDI Disclosures <zdi-disclosures@trendmicro.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
slirp/mbuf.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
Update v1: fixed indentation
https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01121.html
diff --git a/slirp/mbuf.c b/slirp/mbuf.c
index 5ff24559fd..6650981fc7 100644
--- a/slirp/mbuf.c
+++ b/slirp/mbuf.c
@@ -137,8 +137,9 @@ m_cat(struct mbuf *m, struct mbuf *n)
/*
* If there's no room, realloc
*/
- if (M_FREEROOM(m) < n->m_len)
- m_inc(m,m->m_size+MINCSIZE);
+ if (M_FREEROOM(m) < n->m_len) {
+ m_inc(m, m->m_len + n->m_len);
+ }
memcpy(m->m_data+m->m_len, n->m_data, n->m_len);
m->m_len += n->m_len;
@@ -158,12 +159,12 @@ m_inc(struct mbuf *m, int size)
if (m->m_flags & M_EXT) {
datasize = m->m_data - m->m_ext;
- m->m_ext = g_realloc(m->m_ext, size);
+ m->m_ext = g_realloc(m->m_ext, size + datasize);
m->m_data = m->m_ext + datasize;
} else {
char *dat;
datasize = m->m_data - m->m_dat;
- dat = g_malloc(size);
+ dat = g_malloc(size + datasize);
memcpy(dat, m->m_dat, m->m_size);
m->m_ext = dat;
@@ -171,7 +172,7 @@ m_inc(struct mbuf *m, int size)
m->m_flags |= M_EXT;
}
- m->m_size = size;
+ m->m_size = size + datasize;
}
--
2.17.1
^ permalink raw reply related [flat|nested] 3+ messages in thread* [Qemu-devel] [PATCH v1 2/2] slirp: reformat m_cat routine
2018-06-06 10:35 [Qemu-devel] [PATCH v1 0/2] correct size computation in m_cat P J P
2018-06-06 10:35 ` [Qemu-devel] [PATCH v1 1/2] slirp: correct size computation while concatenating mbuf P J P
@ 2018-06-06 10:35 ` P J P
1 sibling, 0 replies; 3+ messages in thread
From: P J P @ 2018-06-06 10:35 UTC (permalink / raw)
To: Qemu Developers; +Cc: Samuel Thibault, Jan Kiszka, Prasad J Pandit
From: Prasad J Pandit <pjp@fedoraproject.org>
Coding style changes to the m_cat routine and minor refactoring.
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
slirp/mbuf.c | 36 ++++++++++++++++--------------------
1 file changed, 16 insertions(+), 20 deletions(-)
diff --git a/slirp/mbuf.c b/slirp/mbuf.c
index 6650981fc7..e012cd4760 100644
--- a/slirp/mbuf.c
+++ b/slirp/mbuf.c
@@ -152,32 +152,28 @@ m_cat(struct mbuf *m, struct mbuf *n)
void
m_inc(struct mbuf *m, int size)
{
- int datasize;
+ int datasize;
- /* some compiles throw up on gotos. This one we can fake. */
- if(m->m_size>size) return;
+ /* some compiles throw up on gotos. This one we can fake. */
+ if (m->m_size > size) {
+ return;
+ }
- if (m->m_flags & M_EXT) {
- datasize = m->m_data - m->m_ext;
- m->m_ext = g_realloc(m->m_ext, size + datasize);
- m->m_data = m->m_ext + datasize;
- } else {
- char *dat;
- datasize = m->m_data - m->m_dat;
- dat = g_malloc(size + datasize);
- memcpy(dat, m->m_dat, m->m_size);
-
- m->m_ext = dat;
- m->m_data = m->m_ext + datasize;
- m->m_flags |= M_EXT;
- }
-
- m->m_size = size + datasize;
+ if (m->m_flags & M_EXT) {
+ datasize = m->m_data - m->m_ext;
+ m->m_ext = g_realloc(m->m_ext, size + datasize);
+ } else {
+ datasize = m->m_data - m->m_dat;
+ m->m_ext = g_malloc(size + datasize);
+ memcpy(m->m_ext, m->m_dat, m->m_size);
+ m->m_flags |= M_EXT;
+ }
+ m->m_data = m->m_ext + datasize;
+ m->m_size = size + datasize;
}
-
void
m_adj(struct mbuf *m, int len)
{
--
2.17.1
^ permalink raw reply related [flat|nested] 3+ messages in thread