091d374633
Resolves: rhbz#1970826 Resolves: rhbz#1970839 Resolves: rhbz#1970857 Resolves: rhbz#1970847
55 lines
1.5 KiB
Diff
55 lines
1.5 KiB
Diff
From 87f5d0c70bdb46d467d32e3c3a8d7a472c97e148 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
|
|
Date: Fri, 4 Jun 2021 15:58:25 +0400
|
|
Subject: [PATCH 1/7] Add mtod_check()
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Recent security issues demonstrate the lack of safety care when casting
|
|
a mbuf to a particular structure type. At least, it should check that
|
|
the buffer is large enough. The following patches will make use of this
|
|
function.
|
|
|
|
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
(cherry picked from commit 93e645e72a056ec0b2c16e0299fc5c6b94e4ca17)
|
|
---
|
|
src/mbuf.c | 11 +++++++++++
|
|
src/mbuf.h | 1 +
|
|
2 files changed, 12 insertions(+)
|
|
|
|
diff --git a/src/mbuf.c b/src/mbuf.c
|
|
index 54ec721..cb2e971 100644
|
|
--- a/src/mbuf.c
|
|
+++ b/src/mbuf.c
|
|
@@ -222,3 +222,14 @@ struct mbuf *dtom(Slirp *slirp, void *dat)
|
|
|
|
return (struct mbuf *)0;
|
|
}
|
|
+
|
|
+void *mtod_check(struct mbuf *m, size_t len)
|
|
+{
|
|
+ if (m->m_len >= len) {
|
|
+ return m->m_data;
|
|
+ }
|
|
+
|
|
+ DEBUG_ERROR("mtod failed");
|
|
+
|
|
+ return NULL;
|
|
+}
|
|
diff --git a/src/mbuf.h b/src/mbuf.h
|
|
index 546e785..2015e32 100644
|
|
--- a/src/mbuf.h
|
|
+++ b/src/mbuf.h
|
|
@@ -118,6 +118,7 @@ void m_inc(struct mbuf *, int);
|
|
void m_adj(struct mbuf *, int);
|
|
int m_copy(struct mbuf *, struct mbuf *, int, int);
|
|
struct mbuf *dtom(Slirp *, void *);
|
|
+void *mtod_check(struct mbuf *, size_t len);
|
|
|
|
static inline void ifs_init(struct mbuf *ifm)
|
|
{
|
|
--
|
|
2.29.0
|
|
|