From patchwork Tue Aug 7 11:45:01 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Maydell X-Patchwork-Id: 143577 Delivered-To: patches@linaro.org Received: by 2002:a2e:9754:0:0:0:0:0 with SMTP id f20-v6csp4402368ljj; Tue, 7 Aug 2018 04:45:10 -0700 (PDT) X-Google-Smtp-Source: AAOMgpcayoLZ1nwIS/tWzbskco3lw203vV+71CZ4KyItbEGLKkDBPdfa7Tt/PZvcAkgWSxSjxc4p X-Received: by 2002:a5d:6892:: with SMTP id h18-v6mr12343503wru.108.1533642310155; Tue, 07 Aug 2018 04:45:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533642310; cv=none; d=google.com; s=arc-20160816; b=IXLZgzjstP3CW+Rge+FXdr6Wm0L/Jybmi2QyKY1bnFYOUQ6vaYM6HZOegRxgO4qfFY JgGfHLzWDbjtVFH7mh5iPrY1iWuRkZ9L+bamMxxSExQqse+TQw7JM3lAe5uEcbZUx5It ElPgrhsKAcqbQex87qNlLUUMExUw5MBTvoQ1/2+UhWOY6SrXY92c0bbK0BghXK+OpHpd 1RYR53rVHJ/I4kblUk5NmsFKaYKE1S/cEzR4z+AodyqjmX2RbOSIt9PGBTlsMfM+C3g2 QOljk1A+DeG6BQvKHuwbhooWQ2H3lFjh9Gkol0gj9yf554k4/4ahGIr1hH4mBK4VoJs8 ADGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=message-id:date:subject:cc:to:from:arc-authentication-results; bh=8RbDu5W7PCS596T1JBoPrLslV4e8woKW4pXIxB3S2Rw=; b=L8A8s0OjWRhh0SYdeFGZJgPAHCXTe+/ztBYAuRlDwcnEllTqfvXCNrIiE+YUD4xAXL qV6NqCBMSqYVQcNHg2iOmxKqEdWa44TebqQJy89Hl7ZGRdx4EFkRtvl/4eh9me0uIhLP /+iRDM0+vFRsSiw12OWKxxgAG1pCUsx4MJCqGqw3argK+53Aq490CHC4syxrcEp3YFRV fgnGEsp5+ARZhrLoBpz5avJ7fwj2KgM1NaVwQ7Xi56f+nMhj96FMNv/S9+DPyxnouEAU +5VeKWo2tbRKZIyCRCrUcO/81pqtaaIQc1uDETnOBYVHqSmdQZM7CIssvSQVJltzoENe 177A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted sender) smtp.mailfrom=pm215@archaic.org.uk; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from orth.archaic.org.uk (orth.archaic.org.uk. [2001:8b0:1d0::2]) by mx.google.com with ESMTPS id u26-v6si1016031wmc.29.2018.08.07.04.45.09 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 07 Aug 2018 04:45:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted sender) client-ip=2001:8b0:1d0::2; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted sender) smtp.mailfrom=pm215@archaic.org.uk; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from pm215 by orth.archaic.org.uk with local (Exim 4.89) (envelope-from ) id 1fn0QB-0001kq-Pb; Tue, 07 Aug 2018 12:45:03 +0100 From: Peter Maydell To: qemu-devel@nongnu.org Cc: patches@linaro.org, Samuel Thibault , Jan Kiszka , Prasad J Pandit , "Dr . David Alan Gilbert" , liqsub1 Subject: [PATCH for-3.0] slirp: Correct size check in m_inc() Date: Tue, 7 Aug 2018 12:45:01 +0100 Message-Id: <20180807114501.12370-1-peter.maydell@linaro.org> X-Mailer: git-send-email 2.17.1 The data in an mbuf buffer is not necessarily at the start of the allocated buffer. (For instance m_adj() allows data to be trimmed from the start by just advancing the pointer and reducing the length.) This means that the allocated buffer size (m->m_size) and the amount of space from the m_data pointer to the end of the buffer (M_ROOM(m)) are not necessarily the same. Commit 864036e251f54c9 tried to change the m_inc() function from taking the new allocated-buffer-size to taking the new room-size, but forgot to change the initial "do we already have enough space" check. This meant that if we were trying to extend a buffer which had a leading gap between the buffer start and the data, we might incorrectly decide it didn't need to be extended, and then overrun the end of the buffer, causing memory corruption and an eventual crash. Change the "already big enough?" condition from checking the argument against m->m_size to checking against M_ROOM(). This only makes a difference for the callsite in m_cat(); the other three callsites all start with a freshly allocated mbuf from m_get(), which will have m->m_size == M_ROOM(m). Fixes: 864036e251f54c9 Fixes: https://bugs.launchpad.net/qemu/+bug/1785670 Signed-off-by: Peter Maydell --- slirp/mbuf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.17.1 Reviewed-by: Samuel Thibault Tested-by: Dr. David Alan Gilbert Signed-off-by: Peter Maydell diff --git a/slirp/mbuf.c b/slirp/mbuf.c index 0c189e1a7bf..1b7868355a3 100644 --- a/slirp/mbuf.c +++ b/slirp/mbuf.c @@ -154,7 +154,7 @@ m_inc(struct mbuf *m, int size) int datasize; /* some compilers throw up on gotos. This one we can fake. */ - if (m->m_size > size) { + if (M_ROOM(m) > size) { return; }