| Message ID | 20230824153224.2517486-4-peter.maydell@linaro.org |
|---|---|
| State | Superseded |
| Headers | show |
| Series | net: avoid variable length arrays | expand |
On [2023 Aug 24] Thu 16:32:23, Peter Maydell wrote: > Use a g_autofree heap allocation instead of a variable length > array in dump_receive_iov(). > > The codebase has very few VLAs, and if we can get rid of them all we > can make the compiler error on new additions. This is a defensive > measure against security bugs where an on-stack dynamic allocation > isn't correctly size-checked (e.g. CVE-2021-3527). > > Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com> > --- > net/dump.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/dump.c b/net/dump.c > index 7d05f16ca7a..16073f24582 100644 > --- a/net/dump.c > +++ b/net/dump.c > @@ -68,7 +68,7 @@ static ssize_t dump_receive_iov(DumpState *s, const struct iovec *iov, int cnt, > int64_t ts; > int caplen; > size_t size = iov_size(iov, cnt) - offset; > - struct iovec dumpiov[cnt + 1]; > + g_autofree struct iovec *dumpiov = g_new(struct iovec, cnt + 1); > > /* Early return in case of previous error. */ > if (s->fd < 0) { > -- > 2.34.1 > >
diff --git a/net/dump.c b/net/dump.c index 7d05f16ca7a..16073f24582 100644 --- a/net/dump.c +++ b/net/dump.c @@ -68,7 +68,7 @@ static ssize_t dump_receive_iov(DumpState *s, const struct iovec *iov, int cnt, int64_t ts; int caplen; size_t size = iov_size(iov, cnt) - offset; - struct iovec dumpiov[cnt + 1]; + g_autofree struct iovec *dumpiov = g_new(struct iovec, cnt + 1); /* Early return in case of previous error. */ if (s->fd < 0) {
Use a g_autofree heap allocation instead of a variable length array in dump_receive_iov(). The codebase has very few VLAs, and if we can get rid of them all we can make the compiler error on new additions. This is a defensive measure against security bugs where an on-stack dynamic allocation isn't correctly size-checked (e.g. CVE-2021-3527). Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- net/dump.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)