1. Patchew
  2. QEMU
  3. [Qemu-devel] [PATCH 0/2] correct size computation in m_cat
  4. View patch

[Qemu-devel] [PATCH 1/2] slirp: correct size computation while concatenating mbuf

P J P posted 2 patches 7 years, 8 months ago
[Qemu-devel] [PATCH 1/2] slirp: correct size computation while concatenating mbuf
Posted by P J P 7 years, 8 months ago 
From: Prasad J Pandit <pjp@fedoraproject.org>

While reassembling incoming fragmented datagrams, 'm_cat' routine
extends the 'mbuf' buffer, if it has insufficient room. It computes
a wrong buffer size, which leads to overwriting adjacent heap buffer
area. Correct this size computation in m_cat.

Reported-by: ZDI Disclosures <zdi-disclosures@trendmicro.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 slirp/mbuf.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/slirp/mbuf.c b/slirp/mbuf.c
index 5ff24559fd..0f45abd917 100644
--- a/slirp/mbuf.c
+++ b/slirp/mbuf.c
@@ -138,7 +138,7 @@ m_cat(struct mbuf *m, struct mbuf *n)
 	 * If there's no room, realloc
 	 */
 	if (M_FREEROOM(m) < n->m_len)
-		m_inc(m,m->m_size+MINCSIZE);
+		m_inc(m, m->m_len + n->m_len);
 
 	memcpy(m->m_data+m->m_len, n->m_data, n->m_len);
 	m->m_len += n->m_len;
@@ -158,12 +158,12 @@ m_inc(struct mbuf *m, int size)
 
         if (m->m_flags & M_EXT) {
 	  datasize = m->m_data - m->m_ext;
-          m->m_ext = g_realloc(m->m_ext, size);
+          m->m_ext = g_realloc(m->m_ext, size + datasize);
 	  m->m_data = m->m_ext + datasize;
         } else {
 	  char *dat;
 	  datasize = m->m_data - m->m_dat;
-          dat = g_malloc(size);
+      dat = g_malloc(size + datasize);
 	  memcpy(dat, m->m_dat, m->m_size);
 
 	  m->m_ext = dat;
@@ -171,7 +171,7 @@ m_inc(struct mbuf *m, int size)
 	  m->m_flags |= M_EXT;
         }
 
-        m->m_size = size;
+        m->m_size = size + datasize;
 
 }
 
-- 
2.17.1
Re: [Qemu-devel] [PATCH 1/2] slirp: correct size computation while concatenating mbuf
Posted by Samuel Thibault 7 years, 8 months ago 
Hello,

P J P, le mar. 05 juin 2018 23:38:35 +0530, a ecrit:
> From: Prasad J Pandit <pjp@fedoraproject.org>
> 
> While reassembling incoming fragmented datagrams, 'm_cat' routine
> extends the 'mbuf' buffer, if it has insufficient room. It computes
> a wrong buffer size, which leads to overwriting adjacent heap buffer
> area. Correct this size computation in m_cat.
> 
> Reported-by: ZDI Disclosures <zdi-disclosures@trendmicro.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>

Applied to my tree with a couple documentation improvements, thanks!

Samuel
Re: [Qemu-devel] [PATCH 1/2] slirp: correct size computation while concatenating mbuf
Posted by P J P 7 years, 8 months ago 
  Hello Samuel,

+-- On Wed, 6 Jun 2018, Samuel Thibault wrote --+
| > From: Prasad J Pandit <pjp@fedoraproject.org>
| > 
| > While reassembling incoming fragmented datagrams, 'm_cat' routine
| > extends the 'mbuf' buffer, if it has insufficient room. It computes
| > a wrong buffer size, which leads to overwriting adjacent heap buffer
| > area. Correct this size computation in m_cat.
| > 
| > Reported-by: ZDI Disclosures <zdi-disclosures@trendmicro.com>
| > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
| 
| Applied to my tree with a couple documentation improvements, thanks!

  -> https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01144.html

This is patch v1 with indentation fix flagged by checkpatch.pl. In case you 
prefer this one.

Thank you.
--
 - P J P
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.