PATCH] slirp: fix buffer overrun

Since the addition of the slirp member to struct mbuf, the value of SLIRP_MSIZE and the initialization of m_size have not been correct, resulting in overrunning the end of the malloc'd buffer in some cases. Signed-off-by: Bruce Rogers <brogers@novell.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
author: Bruce Rogers <brogers@novell.com> 2011-02-05 14:47:56 -0700
committer: Anthony Liguori <aliguori@us.ibm.com> 2011-02-14 13:23:00 -0600
commit: 09d1b6639140b8788937aec9aa218b385800687a (patch)
tree: 576b4dc0e5470ba6dc3152728bd8bdb937c64443
parent: b2b281d876912a2af75cc77459a6b499638638ba (diff)
download: slirp-09d1b6639140b8788937aec9aa218b385800687a.zip
slirp-09d1b6639140b8788937aec9aa218b385800687a.tar.gz
slirp-09d1b6639140b8788937aec9aa218b385800687a.tar.bz2
1 files changed, 2 insertions, 2 deletions
diff --git a/mbuf.c b/mbuf.c
index d3a55f8..d479cb7 100644
--- a/mbuf.c
+++ b/mbuf.c
@@ -23,7 +23,7 @@
  * Find a nice value for msize
  * XXX if_maxlinkhdr already in mtu
  */
-#define SLIRP_MSIZE (IF_MTU + IF_MAXLINKHDR + sizeof(struct m_hdr) + 6)
+#define SLIRP_MSIZE (IF_MTU + IF_MAXLINKHDR + offsetof(struct mbuf, m_dat) + 6)
 
 void m_init(Slirp *slirp)
 {
@@ -64,7 +64,7 @@ struct mbuf *m_get(Slirp *slirp)
     m->m_flags = (flags | M_USEDLIST);
 
     /* Initialise it */
-    m->m_size = SLIRP_MSIZE - sizeof(struct m_hdr);
+    m->m_size = SLIRP_MSIZE - offsetof(struct m_hdr, m_dat);
     m->m_data = m->m_dat;
     m->m_len = 0;
     m->m_nextpkt = NULL;
author	Bruce Rogers <brogers@novell.com>	2011-02-05 14:47:56 -0700
committer	Anthony Liguori <aliguori@us.ibm.com>	2011-02-14 13:23:00 -0600
commit	09d1b6639140b8788937aec9aa218b385800687a (patch)
tree	576b4dc0e5470ba6dc3152728bd8bdb937c64443
parent	b2b281d876912a2af75cc77459a6b499638638ba (diff)
download	slirp-09d1b6639140b8788937aec9aa218b385800687a.zip slirp-09d1b6639140b8788937aec9aa218b385800687a.tar.gz slirp-09d1b6639140b8788937aec9aa218b385800687a.tar.bz2