From nobody Tue Feb 10 20:14:30 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as
 permitted sender) client-ip=208.118.235.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted
 sender)  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by
 mx.zohomail.com
	with SMTPS id 1528438683369456.53408217998026;
 Thu, 7 Jun 2018 23:18:03 -0700 (PDT)
Received: from localhost ([::1]:33368 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <qemu-devel-bounces+importer=patchew.org@nongnu.org>)
	id 1fRAik-0003Fo-NA
	for importer@patchew.org; Fri, 08 Jun 2018 02:17:58 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:45133)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <samuel.thibault@ens-lyon.org>) id 1fRAeM-0007dn-Eo
	for qemu-devel@nongnu.org; Fri, 08 Jun 2018 02:13:27 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <samuel.thibault@ens-lyon.org>) id 1fRAeL-0004Jj-Ep
	for qemu-devel@nongnu.org; Fri, 08 Jun 2018 02:13:26 -0400
Received: from hera.aquilenet.fr ([185.233.100.1]:53446)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <samuel.thibault@ens-lyon.org>)
	id 1fRAeL-0004JT-8W
	for qemu-devel@nongnu.org; Fri, 08 Jun 2018 02:13:25 -0400
Received: from localhost (localhost [127.0.0.1])
	by hera.aquilenet.fr (Postfix) with ESMTP id 566B1C43;
	Fri,  8 Jun 2018 08:13:24 +0200 (CEST)
Received: from hera.aquilenet.fr ([127.0.0.1])
	by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id WhmxEaS2QJeJ; Fri,  8 Jun 2018 08:13:21 +0200 (CEST)
Received: from var.youpi.perso.aquilenet.fr (unknown
	[IPv6:2001:648:2000:25:3602:86ff:fe2c:6a19])
	by hera.aquilenet.fr (Postfix) with ESMTPSA id 041CFC61;
	Fri,  8 Jun 2018 08:13:18 +0200 (CEST)
Received: from samy by var.youpi.perso.aquilenet.fr with local (Exim 4.91)
	(envelope-from <samuel.thibault@ens-lyon.org>)
	id 1fRAeD-0001I6-0m; Fri, 08 Jun 2018 08:13:17 +0200
X-Virus-Scanned: Debian amavisd-new at aquilenet.fr
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
To: qemu-devel@nongnu.org,
	peter.maydell@linaro.org
Date: Fri,  8 Jun 2018 09:13:15 +0300
Message-Id: <20180608061316.4909-5-samuel.thibault@ens-lyon.org>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20180608061316.4909-1-samuel.thibault@ens-lyon.org>
References: <20180608061316.4909-1-samuel.thibault@ens-lyon.org>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
	[fuzzy]
X-Received-From: 185.233.100.1
Subject: [Qemu-devel] [PULL 4/5] slirp: correct size computation while
 concatenating mbuf
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: jan.kiszka@siemens.com, Prasad J Pandit <pjp@fedoraproject.org>,
	stefanha@redhat.com, Samuel Thibault <samuel.thibault@ens-lyon.org>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+importer=patchew.org@nongnu.org>
X-ZohoMail: RSF_0  Z_629925259 SPT_0
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"

From: Prasad J Pandit <pjp@fedoraproject.org>

While reassembling incoming fragmented datagrams, 'm_cat' routine
extends the 'mbuf' buffer, if it has insufficient room. It computes
a wrong buffer size, which leads to overwriting adjacent heap buffer
area. Correct this size computation in m_cat.

Reported-by: ZDI Disclosures <zdi-disclosures@trendmicro.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
---
 slirp/mbuf.c | 11 +++++------
 slirp/mbuf.h |  8 +++-----
 2 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/slirp/mbuf.c b/slirp/mbuf.c
index 5ff24559fd..18cbf759a7 100644
--- a/slirp/mbuf.c
+++ b/slirp/mbuf.c
@@ -138,7 +138,7 @@ m_cat(struct mbuf *m, struct mbuf *n)
 	 * If there's no room, realloc
 	 */
 	if (M_FREEROOM(m) < n->m_len)
-		m_inc(m,m->m_size+MINCSIZE);
+		m_inc(m, m->m_len + n->m_len);
=20
 	memcpy(m->m_data+m->m_len, n->m_data, n->m_len);
 	m->m_len +=3D n->m_len;
@@ -147,7 +147,7 @@ m_cat(struct mbuf *m, struct mbuf *n)
 }
=20
=20
-/* make m size bytes large */
+/* make m 'size' bytes large from m_data */
 void
 m_inc(struct mbuf *m, int size)
 {
@@ -158,12 +158,12 @@ m_inc(struct mbuf *m, int size)
=20
         if (m->m_flags & M_EXT) {
 	  datasize =3D m->m_data - m->m_ext;
-          m->m_ext =3D g_realloc(m->m_ext, size);
+	  m->m_ext =3D g_realloc(m->m_ext, size + datasize);
 	  m->m_data =3D m->m_ext + datasize;
         } else {
 	  char *dat;
 	  datasize =3D m->m_data - m->m_dat;
-          dat =3D g_malloc(size);
+	  dat =3D g_malloc(size + datasize);
 	  memcpy(dat, m->m_dat, m->m_size);
=20
 	  m->m_ext =3D dat;
@@ -171,8 +171,7 @@ m_inc(struct mbuf *m, int size)
 	  m->m_flags |=3D M_EXT;
         }
=20
-        m->m_size =3D size;
-
+        m->m_size =3D size + datasize;
 }
=20
=20
diff --git a/slirp/mbuf.h b/slirp/mbuf.h
index 893601ff9d..33b84485d6 100644
--- a/slirp/mbuf.h
+++ b/slirp/mbuf.h
@@ -33,8 +33,6 @@
 #ifndef MBUF_H
 #define MBUF_H
=20
-#define MINCSIZE 4096	/* Amount to increase mbuf if too small */
-
 /*
  * Macros for type conversion
  * mtod(m,t) -	convert mbuf pointer to data pointer of correct type
@@ -72,11 +70,11 @@ struct mbuf {
 	struct	mbuf *m_prevpkt;	/* Flags aren't used in the output queue */
 	int	m_flags;		/* Misc flags */
=20
-	int	m_size;			/* Size of data */
+	int	m_size;			/* Size of mbuf, from m_dat or m_ext */
 	struct	socket *m_so;
=20
-	caddr_t	m_data;			/* Location of data */
-	int	m_len;			/* Amount of data in this mbuf */
+	caddr_t	m_data;			/* Current location of data */
+	int	m_len;			/* Amount of data in this mbuf, from m_data */
=20
 	Slirp *slirp;
 	bool	resolution_requested;
--=20
2.17.1