| Message ID | 20230824153224.2517486-3-peter.maydell@linaro.org |
|---|---|
| State | Superseded |
| Headers | show |
| Series | net: avoid variable length arrays | expand |
On [2023 Aug 24] Thu 16:32:22, Peter Maydell wrote: > Replace an on-stack variable length array in of_dpa_ig() with > a g_autofree heap allocation. > > The codebase has very few VLAs, and if we can get rid of them all we > can make the compiler error on new additions. This is a defensive > measure against security bugs where an on-stack dynamic allocation > isn't correctly size-checked (e.g. CVE-2021-3527). > > Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com> > --- > hw/net/rocker/rocker_of_dpa.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/hw/net/rocker/rocker_of_dpa.c b/hw/net/rocker/rocker_of_dpa.c > index dfe47544694..5e16056be66 100644 > --- a/hw/net/rocker/rocker_of_dpa.c > +++ b/hw/net/rocker/rocker_of_dpa.c > @@ -1043,7 +1043,7 @@ static void of_dpa_flow_ig_tbl(OfDpaFlowContext *fc, uint32_t tbl_id) > static ssize_t of_dpa_ig(World *world, uint32_t pport, > const struct iovec *iov, int iovcnt) > { > - struct iovec iov_copy[iovcnt + 2]; > + g_autofree struct iovec *iov_copy = g_new(struct iovec, iovcnt + 2); > OfDpaFlowContext fc = { > .of_dpa = world_private(world), > .in_pport = pport, > -- > 2.34.1 > >
diff --git a/hw/net/rocker/rocker_of_dpa.c b/hw/net/rocker/rocker_of_dpa.c index dfe47544694..5e16056be66 100644 --- a/hw/net/rocker/rocker_of_dpa.c +++ b/hw/net/rocker/rocker_of_dpa.c @@ -1043,7 +1043,7 @@ static void of_dpa_flow_ig_tbl(OfDpaFlowContext *fc, uint32_t tbl_id) static ssize_t of_dpa_ig(World *world, uint32_t pport, const struct iovec *iov, int iovcnt) { - struct iovec iov_copy[iovcnt + 2]; + g_autofree struct iovec *iov_copy = g_new(struct iovec, iovcnt + 2); OfDpaFlowContext fc = { .of_dpa = world_private(world), .in_pport = pport,
Replace an on-stack variable length array in of_dpa_ig() with a g_autofree heap allocation. The codebase has very few VLAs, and if we can get rid of them all we can make the compiler error on new additions. This is a defensive measure against security bugs where an on-stack dynamic allocation isn't correctly size-checked (e.g. CVE-2021-3527). Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/net/rocker/rocker_of_dpa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)