From c28ce81c02a76d8d36e3e5b3cffdb72c31949423 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Tue, 7 Aug 2018 12:45:01 +0100 Subject: slirp: Correct size check in m_inc() The data in an mbuf buffer is not necessarily at the start of the allocated buffer. (For instance m_adj() allows data to be trimmed from the start by just advancing the pointer and reducing the length.) This means that the allocated buffer size (m->m_size) and the amount of space from the m_data pointer to the end of the buffer (M_ROOM(m)) are not necessarily the same. Commit 864036e251f54c9 tried to change the m_inc() function from taking the new allocated-buffer-size to taking the new room-size, but forgot to change the initial "do we already have enough space" check. This meant that if we were trying to extend a buffer which had a leading gap between the buffer start and the data, we might incorrectly decide it didn't need to be extended, and then overrun the end of the buffer, causing memory corruption and an eventual crash. Change the "already big enough?" condition from checking the argument against m->m_size to checking against M_ROOM(). This only makes a difference for the callsite in m_cat(); the other three callsites all start with a freshly allocated mbuf from m_get(), which will have m->m_size == M_ROOM(m). Fixes: 864036e251f54c9 Fixes: https://bugs.launchpad.net/qemu/+bug/1785670 Signed-off-by: Peter Maydell Reviewed-by: Samuel Thibault Message-id: 20180807114501.12370-1-peter.maydell@linaro.org Tested-by: Dr. David Alan Gilbert --- mbuf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mbuf.c b/mbuf.c index 2b1ef63..9335f9e 100644 --- a/mbuf.c +++ b/mbuf.c @@ -148,7 +148,7 @@ void m_inc(struct mbuf *m, int size) int datasize; /* some compilers throw up on gotos. This one we can fake. */ - if (m->m_size > size) { + if (M_ROOM(m) > size) { return; } -- cgit v1.1