Patchwork [0.14] slirp: fix buffer overrun

login
register
mail settings
Submitter Bruce Rogers
Date Feb. 7, 2011, 4:23 p.m.
Message ID <4D4FBA0002000048000A9795@novprvoes0310.provo.novell.com>
Download mbox | patch
Permalink /patch/82138/
State New
Headers show

Comments

Bruce Rogers - Feb. 7, 2011, 4:23 p.m.
Since the addition of the slirp member to struct mbuf, the value of
SLIRP_MSIZE and the initialization of m_size have not been correct,
resulting in overrunning the end of the malloc'd buffer in some cases.

Signed-off-by: Bruce Rogers <brogers@novell.com>
---
 slirp/mbuf.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

Patch

diff --git a/slirp/mbuf.c b/slirp/mbuf.c
index 87508ba..ce2eb84 100644
--- a/slirp/mbuf.c
+++ b/slirp/mbuf.c
@@ -23,7 +23,7 @@ 
  * Find a nice value for msize
  * XXX if_maxlinkhdr already in mtu
  */
-#define SLIRP_MSIZE (IF_MTU + IF_MAXLINKHDR + sizeof(struct m_hdr ) + 6)
+#define SLIRP_MSIZE (IF_MTU + IF_MAXLINKHDR + offsetof(struct mbuf, m_dat) + 6)

 void
 m_init(Slirp *slirp)
@@ -65,7 +65,7 @@  m_get(Slirp *slirp)
        m->m_flags = (flags | M_USEDLIST);

        /* Initialise it */
-       m->m_size = SLIRP_MSIZE - sizeof(struct m_hdr);
+       m->m_size = SLIRP_MSIZE - offsetof(struct mbuf, m_dat);
        m->m_data = m->m_dat;
        m->m_len = 0;
         m->m_nextpkt = NULL;