diff options
author | Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru> | 2023-11-06 15:00:28 +0000 |
---|---|---|
committer | Peter Maydell <peter.maydell@linaro.org> | 2023-11-06 15:00:28 +0000 |
commit | 35bafa95da671f5a902e87fcc301f76f82cd0831 (patch) | |
tree | 4d4e13d9c833dc5b7247bb4551bfc02f235a054e /io | |
parent | 59a3aff685fdb930244c7aa439e121b60e50f266 (diff) | |
download | qemu-35bafa95da671f5a902e87fcc301f76f82cd0831.zip qemu-35bafa95da671f5a902e87fcc301f76f82cd0831.tar.gz qemu-35bafa95da671f5a902e87fcc301f76f82cd0831.tar.bz2 |
io/channel-socket: qio_channel_socket_flush(): improve msg validation
For SO_EE_ORIGIN_ZEROCOPY the 32-bit notification range is encoded
as [ee_info, ee_data] inclusively, so ee_info should be less or
equal to ee_data.
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Reviewed-by: Maksim Davydov <davydov-max@yandex-team.ru>
Message-id: 20231017125941.810461-7-vsementsov@yandex-team.ru
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'io')
-rw-r--r-- | io/channel-socket.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/io/channel-socket.c b/io/channel-socket.c index 02ffb51..3a899b0 100644 --- a/io/channel-socket.c +++ b/io/channel-socket.c @@ -782,6 +782,11 @@ static int qio_channel_socket_flush(QIOChannel *ioc, "Error not from zero copy"); return -1; } + if (serr->ee_data < serr->ee_info) { + error_setg_errno(errp, serr->ee_origin, + "Wrong notification bounds"); + return -1; + } /* No errors, count successfully finished sendmsg()*/ sioc->zero_copy_sent += serr->ee_data - serr->ee_info + 1; |