Re: [Qemu-devel] [PATCH for-3.0] slirp: Correct size check in m_inc()

From: Samuel Thibault <samuel.thibault@gnu.org>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: qemu-devel@nongnu.org, Prasad J Pandit <pjp@fedoraproject.org>,
	patches@linaro.org, Jan Kiszka <jan.kiszka@siemens.com>,
	"Dr . David Alan Gilbert" <dgilbert@redhat.com>,
	liqsub1 <liqsub1@163.com>
Subject: Re: [Qemu-devel] [PATCH for-3.0] slirp: Correct size check in m_inc()
Date: Tue, 7 Aug 2018 13:54:40 +0200	[thread overview]
Message-ID: <20180807115440.hnfn3k4ugmsa4pan@var.youpi.perso.aquilenet.fr> (raw)
In-Reply-To: <20180807114501.12370-1-peter.maydell@linaro.org>

Peter Maydell, le mar. 07 août 2018 12:45:01 +0100, a ecrit:
> The data in an mbuf buffer is not necessarily at the start of the
> allocated buffer. (For instance m_adj() allows data to be trimmed
> from the start by just advancing the pointer and reducing the length.)
> This means that the allocated buffer size (m->m_size) and the
> amount of space from the m_data pointer to the end of the
> buffer (M_ROOM(m)) are not necessarily the same.
> 
> Commit 864036e251f54c9 tried to change the m_inc() function from
> taking the new allocated-buffer-size to taking the new room-size,
> but forgot to change the initial "do we already have enough space"
> check. This meant that if we were trying to extend a buffer which
> had a leading gap between the buffer start and the data, we might
> incorrectly decide it didn't need to be extended, and then
> overrun the end of the buffer, causing memory corruption and
> an eventual crash.
> 
> Change the "already big enough?" condition from checking the
> argument against m->m_size to checking against M_ROOM().
> This only makes a difference for the callsite in m_cat();
> the other three callsites all start with a freshly allocated
> mbuf from m_get(), which will have m->m_size == M_ROOM(m).
> 
> Fixes: 864036e251f54c9
> Fixes: https://bugs.launchpad.net/qemu/+bug/1785670
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>

> ---
>  slirp/mbuf.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/slirp/mbuf.c b/slirp/mbuf.c
> index 0c189e1a7bf..1b7868355a3 100644
> --- a/slirp/mbuf.c
> +++ b/slirp/mbuf.c
> @@ -154,7 +154,7 @@ m_inc(struct mbuf *m, int size)
>      int datasize;
>  
>      /* some compilers throw up on gotos.  This one we can fake. */
> -    if (m->m_size > size) {
> +    if (M_ROOM(m) > size) {
>          return;
>      }
>  
> -- 
> 2.17.1
> 
> 

-- 
Samuel
"And the next time you consider complaining that running Lucid Emacs
19.05 via NFS from a remote Linux machine in Paraguay doesn't seem to
get the background colors right, you'll know who to thank."
(By Matt Welsh)