gwj / at91sam9263 · Commits

Commit abcd2baab187cc3b1fcce13b697da5874a123e39

Authored by aliguori
1 parent 31c05501

net socket verify packet size (Dustin Kirkland) 

net socket oversized packet

This is a patch being carried by Ubuntu against kvm/qemu.

Verify packet size before performing memcpy().

Signed-off-by: Dustin Kirkland <kirkland@canonical.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>


git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6647 c046a42c-6fe2-441c-8c8c-71466251a162
Inline Side-by-side
Showing 1 changed file with 13 additions and 4 deletions
... ... @@ -1093,8 +1093,8 @@ typedef struct NetSocketState {
1093 1093 VLANClientState *vc;
1094 1094 int fd;
1095 1095 int state; /* 0 = getting length, 1 = getting data */
1096   - int index;
1097   - int packet_len;
  1096 + unsigned int index;
  1097 + unsigned int packet_len;
1098 1098 uint8_t buf[4096];
1099 1099 struct sockaddr_in dgram_dst; /* contains inet host and port destination iff connectionless (SOCK_DGRAM) */
1100 1100 } NetSocketState;
... ... @@ -1127,7 +1127,8 @@ static void net_socket_receive_dgram(void *opaque, const uint8_t *buf, int size)
1127 1127 static void net_socket_send(void *opaque)
1128 1128 {
1129 1129 NetSocketState *s = opaque;
1130   - int l, size, err;
  1130 + int size, err;
  1131 + unsigned l;
1131 1132 uint8_t buf1[4096];
1132 1133 const uint8_t *buf;
1133 1134  
... ... @@ -1166,7 +1167,15 @@ static void net_socket_send(void *opaque)
1166 1167 l = s->packet_len - s->index;
1167 1168 if (l > size)
1168 1169 l = size;
1169   - memcpy(s->buf + s->index, buf, l);
  1170 + if (s->index + l <= sizeof(s->buf)) {
  1171 + memcpy(s->buf + s->index, buf, l);
  1172 + } else {
  1173 + fprintf(stderr, "serious error: oversized packet received,"
  1174 + "connection terminated.\n");
  1175 + s->state = 0;
  1176 + goto eoc;
  1177 + }
  1178 +
1170 1179 s->index += l;
1171 1180 buf += l;
1172 1181 size -= l;
... ...