| Message ID | 20230824153224.2517486-5-peter.maydell@linaro.org |
|---|---|
| State | Superseded |
| Headers | show |
| Series | net: avoid variable length arrays | expand |
On [2023 Aug 24] Thu 16:32:24, Peter Maydell wrote: > Use a heap allocation instead of a variable length array in > tap_receive_iov(). > > The codebase has very few VLAs, and if we can get rid of them all we > can make the compiler error on new additions. This is a defensive > measure against security bugs where an on-stack dynamic allocation > isn't correctly size-checked (e.g. CVE-2021-3527). > > Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com> > --- > net/tap.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/net/tap.c b/net/tap.c > index 1bf085d4228..34b1e3f0918 100644 > --- a/net/tap.c > +++ b/net/tap.c > @@ -117,10 +117,11 @@ static ssize_t tap_receive_iov(NetClientState *nc, const struct iovec *iov, > { > TAPState *s = DO_UPCAST(TAPState, nc, nc); > const struct iovec *iovp = iov; > - struct iovec iov_copy[iovcnt + 1]; > + g_autofree struct iovec *iov_copy = NULL; > struct virtio_net_hdr_mrg_rxbuf hdr = { }; > > if (s->host_vnet_hdr_len && !s->using_vnet_hdr) { > + iov_copy = g_new(struct iovec, iovcnt + 1); > iov_copy[0].iov_base = &hdr; > iov_copy[0].iov_len = s->host_vnet_hdr_len; > memcpy(&iov_copy[1], iov, iovcnt * sizeof(*iov)); > -- > 2.34.1 > >
diff --git a/net/tap.c b/net/tap.c index 1bf085d4228..34b1e3f0918 100644 --- a/net/tap.c +++ b/net/tap.c @@ -117,10 +117,11 @@ static ssize_t tap_receive_iov(NetClientState *nc, const struct iovec *iov, { TAPState *s = DO_UPCAST(TAPState, nc, nc); const struct iovec *iovp = iov; - struct iovec iov_copy[iovcnt + 1]; + g_autofree struct iovec *iov_copy = NULL; struct virtio_net_hdr_mrg_rxbuf hdr = { }; if (s->host_vnet_hdr_len && !s->using_vnet_hdr) { + iov_copy = g_new(struct iovec, iovcnt + 1); iov_copy[0].iov_base = &hdr; iov_copy[0].iov_len = s->host_vnet_hdr_len; memcpy(&iov_copy[1], iov, iovcnt * sizeof(*iov));
Use a heap allocation instead of a variable length array in tap_receive_iov(). The codebase has very few VLAs, and if we can get rid of them all we can make the compiler error on new additions. This is a defensive measure against security bugs where an on-stack dynamic allocation isn't correctly size-checked (e.g. CVE-2021-3527). Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- net/tap.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)