From patchwork Sat Feb 5 21:47:56 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: PATCH] slirp: fix buffer overrun Date: Sat, 05 Feb 2011 11:47:56 -0000 From: Bruce Rogers X-Patchwork-Id: 82021 Message-Id: <4D4D631C02000048000A96A0@novprvoes0310.provo.novell.com> To: Since the addition of the slirp member to struct mbuf, the value of SLIRP_MSIZE and the initialization of m_size have not been correct, resulting in overrunning the end of the malloc'd buffer in some cases. Signed-off-by: Bruce Rogers --- slirp/mbuf.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/slirp/mbuf.c b/slirp/mbuf.c index 87508ba..ce2eb84 100644 --- a/slirp/mbuf.c +++ b/slirp/mbuf.c @@ -23,7 +23,7 @@ * Find a nice value for msize * XXX if_maxlinkhdr already in mtu */ -#define SLIRP_MSIZE (IF_MTU + IF_MAXLINKHDR + sizeof(struct m_hdr ) + 6) +#define SLIRP_MSIZE (IF_MTU + IF_MAXLINKHDR + offsetof(struct mbuf, m_dat) + 6) void m_init(Slirp *slirp) @@ -65,7 +65,7 @@ m_get(Slirp *slirp) m->m_flags = (flags | M_USEDLIST); /* Initialise it */ - m->m_size = SLIRP_MSIZE - sizeof(struct m_hdr); + m->m_size = SLIRP_MSIZE - offsetof(struct mbuf, m_dat); m->m_data = m->m_dat; m->m_len = 0; m->m_nextpkt = NULL;