diff options
author | aliguori <aliguori@c046a42c-6fe2-441c-8c8c-71466251a162> | 2009-02-27 19:54:01 +0000 |
---|---|---|
committer | aliguori <aliguori@c046a42c-6fe2-441c-8c8c-71466251a162> | 2009-02-27 19:54:01 +0000 |
commit | abcd2baab187cc3b1fcce13b697da5874a123e39 (patch) | |
tree | a6fc608e36a0f0ba9472d2224e51ad8c46165f76 /net.c | |
parent | 31c05501c76b917bef4ae477f093e27dc9ef1b3b (diff) | |
download | qemu-abcd2baab187cc3b1fcce13b697da5874a123e39.zip qemu-abcd2baab187cc3b1fcce13b697da5874a123e39.tar.gz qemu-abcd2baab187cc3b1fcce13b697da5874a123e39.tar.bz2 |
net socket verify packet size (Dustin Kirkland)
net socket oversized packet
This is a patch being carried by Ubuntu against kvm/qemu.
Verify packet size before performing memcpy().
Signed-off-by: Dustin Kirkland <kirkland@canonical.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6647 c046a42c-6fe2-441c-8c8c-71466251a162
Diffstat (limited to 'net.c')
-rw-r--r-- | net.c | 17 |
1 files changed, 13 insertions, 4 deletions
@@ -1093,8 +1093,8 @@ typedef struct NetSocketState { VLANClientState *vc; int fd; int state; /* 0 = getting length, 1 = getting data */ - int index; - int packet_len; + unsigned int index; + unsigned int packet_len; uint8_t buf[4096]; struct sockaddr_in dgram_dst; /* contains inet host and port destination iff connectionless (SOCK_DGRAM) */ } NetSocketState; @@ -1127,7 +1127,8 @@ static void net_socket_receive_dgram(void *opaque, const uint8_t *buf, int size) static void net_socket_send(void *opaque) { NetSocketState *s = opaque; - int l, size, err; + int size, err; + unsigned l; uint8_t buf1[4096]; const uint8_t *buf; @@ -1166,7 +1167,15 @@ static void net_socket_send(void *opaque) l = s->packet_len - s->index; if (l > size) l = size; - memcpy(s->buf + s->index, buf, l); + if (s->index + l <= sizeof(s->buf)) { + memcpy(s->buf + s->index, buf, l); + } else { + fprintf(stderr, "serious error: oversized packet received," + "connection terminated.\n"); + s->state = 0; + goto eoc; + } + s->index += l; buf += l; size -= l; |