diff options
author | Marc-André Lureau <marcandre.lureau@redhat.com> | 2021-06-04 15:58:25 +0400 |
---|---|---|
committer | Marc-André Lureau <marcandre.lureau@redhat.com> | 2021-06-14 11:35:54 +0400 |
commit | 93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 (patch) | |
tree | 7445e9a496bfda1f6faafd0c1e0af1dac212af2f | |
parent | 5758d835e431886e862a8b849ac2236b7cfed067 (diff) | |
download | slirp-93e645e72a056ec0b2c16e0299fc5c6b94e4ca17.zip slirp-93e645e72a056ec0b2c16e0299fc5c6b94e4ca17.tar.gz slirp-93e645e72a056ec0b2c16e0299fc5c6b94e4ca17.tar.bz2 |
Add mtod_check()
Recent security issues demonstrate the lack of safety care when casting
a mbuf to a particular structure type. At least, it should check that
the buffer is large enough. The following patches will make use of this
function.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-rw-r--r-- | src/mbuf.c | 11 | ||||
-rw-r--r-- | src/mbuf.h | 1 |
2 files changed, 12 insertions, 0 deletions
@@ -263,3 +263,14 @@ struct mbuf *m_dup(Slirp *slirp, struct mbuf *m, return n; } + +void *mtod_check(struct mbuf *m, size_t len) +{ + if (m->m_len >= len) { + return m->m_data; + } + + DEBUG_ERROR("mtod failed"); + + return NULL; +} @@ -126,6 +126,7 @@ void m_adj(struct mbuf *, int); int m_copy(struct mbuf *, struct mbuf *, int, int); struct mbuf *m_dup(Slirp *slirp, struct mbuf *m, bool copy_header, size_t header_size); struct mbuf *dtom(Slirp *, void *); +void *mtod_check(struct mbuf *, size_t len); static inline void ifs_init(struct mbuf *ifm) { |