Commit abcd2baab187cc3b1fcce13b697da5874a123e39
1 parent
31c05501
net socket verify packet size (Dustin Kirkland)
net socket oversized packet This is a patch being carried by Ubuntu against kvm/qemu. Verify packet size before performing memcpy(). Signed-off-by: Dustin Kirkland <kirkland@canonical.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6647 c046a42c-6fe2-441c-8c8c-71466251a162
Showing
1 changed file
with
13 additions
and
4 deletions
net.c
| @@ -1093,8 +1093,8 @@ typedef struct NetSocketState { | @@ -1093,8 +1093,8 @@ typedef struct NetSocketState { | ||
| 1093 | VLANClientState *vc; | 1093 | VLANClientState *vc; |
| 1094 | int fd; | 1094 | int fd; |
| 1095 | int state; /* 0 = getting length, 1 = getting data */ | 1095 | int state; /* 0 = getting length, 1 = getting data */ |
| 1096 | - int index; | ||
| 1097 | - int packet_len; | 1096 | + unsigned int index; |
| 1097 | + unsigned int packet_len; | ||
| 1098 | uint8_t buf[4096]; | 1098 | uint8_t buf[4096]; |
| 1099 | struct sockaddr_in dgram_dst; /* contains inet host and port destination iff connectionless (SOCK_DGRAM) */ | 1099 | struct sockaddr_in dgram_dst; /* contains inet host and port destination iff connectionless (SOCK_DGRAM) */ |
| 1100 | } NetSocketState; | 1100 | } NetSocketState; |
| @@ -1127,7 +1127,8 @@ static void net_socket_receive_dgram(void *opaque, const uint8_t *buf, int size) | @@ -1127,7 +1127,8 @@ static void net_socket_receive_dgram(void *opaque, const uint8_t *buf, int size) | ||
| 1127 | static void net_socket_send(void *opaque) | 1127 | static void net_socket_send(void *opaque) |
| 1128 | { | 1128 | { |
| 1129 | NetSocketState *s = opaque; | 1129 | NetSocketState *s = opaque; |
| 1130 | - int l, size, err; | 1130 | + int size, err; |
| 1131 | + unsigned l; | ||
| 1131 | uint8_t buf1[4096]; | 1132 | uint8_t buf1[4096]; |
| 1132 | const uint8_t *buf; | 1133 | const uint8_t *buf; |
| 1133 | 1134 | ||
| @@ -1166,7 +1167,15 @@ static void net_socket_send(void *opaque) | @@ -1166,7 +1167,15 @@ static void net_socket_send(void *opaque) | ||
| 1166 | l = s->packet_len - s->index; | 1167 | l = s->packet_len - s->index; |
| 1167 | if (l > size) | 1168 | if (l > size) |
| 1168 | l = size; | 1169 | l = size; |
| 1169 | - memcpy(s->buf + s->index, buf, l); | 1170 | + if (s->index + l <= sizeof(s->buf)) { |
| 1171 | + memcpy(s->buf + s->index, buf, l); | ||
| 1172 | + } else { | ||
| 1173 | + fprintf(stderr, "serious error: oversized packet received," | ||
| 1174 | + "connection terminated.\n"); | ||
| 1175 | + s->state = 0; | ||
| 1176 | + goto eoc; | ||
| 1177 | + } | ||
| 1178 | + | ||
| 1170 | s->index += l; | 1179 | s->index += l; |
| 1171 | buf += l; | 1180 | buf += l; |
| 1172 | size -= l; | 1181 | size -= l; |