Patchwork [for-1.6,1/4] rdma: use resp.len after validation in qemu_rdma_registration_stop

login
register
mail settings
Submitter mrhines@linux.vnet.ibm.com
Date Aug. 7, 2013, 4:05 p.m.
Message ID <1375891530-13759-2-git-send-email-mrhines@linux.vnet.ibm.com>
Download mbox | patch
Permalink /patch/265561/
State New
Headers show

Comments

mrhines@linux.vnet.ibm.com - Aug. 7, 2013, 4:05 p.m.
From: Isaku Yamahata <yamahata@private.email.ne.jp>

resp.len is given from remote host. So should be validated before use.
Otherwise memcpy can access beyond the buffer.

Cc: Michael R. Hines <mrhines@us.ibm.com>
Reviewed-by: Orit Wasserman <owasserm@redhat.com>
Reviewed-by: Michael R. Hines <mrhines@us.ibm.com>
Signed-off-by: Isaku Yamahata <yamahata@private.email.ne.jp>
Signed-off-by: Michael R. Hines <mrhines@us.ibm.com>
---
 migration-rdma.c |    7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

Patch

diff --git a/migration-rdma.c b/migration-rdma.c
index 3a380d4..6721266 100644
--- a/migration-rdma.c
+++ b/migration-rdma.c
@@ -3045,10 +3045,6 @@  static int qemu_rdma_registration_stop(QEMUFile *f, void *opaque,
             return ret;
         }
 
-        qemu_rdma_move_header(rdma, reg_result_idx, &resp);
-        memcpy(rdma->block,
-            rdma->wr_data[reg_result_idx].control_curr, resp.len);
-
         nb_remote_blocks = resp.len / sizeof(RDMARemoteBlock);
 
         /*
@@ -3070,6 +3066,9 @@  static int qemu_rdma_registration_stop(QEMUFile *f, void *opaque,
             return -EINVAL;
         }
 
+        qemu_rdma_move_header(rdma, reg_result_idx, &resp);
+        memcpy(rdma->block,
+            rdma->wr_data[reg_result_idx].control_curr, resp.len);
         for (i = 0; i < nb_remote_blocks; i++) {
             network_to_remote_block(&rdma->block[i]);