openkylin
/
qemu
mirror of https://gitee.com/openkylin/qemu.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

PATCH] slirp: fix buffer overrun 

Since the addition of the slirp member to struct mbuf, the value of
SLIRP_MSIZE and the initialization of m_size have not been correct,
resulting in overrunning the end of the malloc'd buffer in some cases.

Signed-off-by: Bruce Rogers <brogers@novell.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
This commit is contained in:
Bruce Rogers 2011-02-05 14:47:56 -07:00 committed by Anthony Liguori
parent 0fbfbb59a9
commit 53fae6d27f
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
slirp/mbuf.c
View File

@ -23,7 +23,7 @@
* Find a nice value for msize
* XXX if_maxlinkhdr already in mtu
*/
#define SLIRP_MSIZE (IF_MTU + IF_MAXLINKHDR + sizeof(struct m_hdr ) + 6)
#define SLIRP_MSIZE (IF_MTU + IF_MAXLINKHDR + offsetof(struct mbuf, m_dat) + 6)
void
m_init(Slirp *slirp)
@ -65,7 +65,7 @@ m_get(Slirp *slirp)
m->m_flags = (flags | M_USEDLIST);
/* Initialise it */
m->m_size = SLIRP_MSIZE - sizeof(struct m_hdr);
m->m_size = SLIRP_MSIZE - offsetof(struct m_hdr, m_dat);
m->m_data = m->m_dat;
m->m_len = 0;
m->m_nextpkt = NULL;