[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[win-pv-devel] [PATCH 3/4] Fix potential buffer overflow

To: win-pv-devel@xxxxxxxxxxxxxxxxxxxx
From: Paul Durrant <pdurrant@xxxxxxxxx>
Date: Thu, 2 Jul 2015 10:35:15 +0100
Cc: Paul Durrant <paul.durrant@xxxxxxxxxx>
Delivery-date: Thu, 02 Jul 2015 09:35:45 +0000
List-id: Developer list for the Windows PV Drivers subproject <win-pv-devel.lists.xenproject.org>

The __min in XENFILT's FdoQueryDeviceRelations() should be a __max. The only
reason this mistake did not lead to an immediate buffer overflow was because
the allocation incorrectly used sizeof (DEVICE_OBJECT) rather than
sizeof (PDEVICE_OBJECT).

Signed-off-by: Paul Durrant <paul.durrant@xxxxxxxxxx>
---
 src/xenfilt/fdo.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/xenfilt/fdo.c b/src/xenfilt/fdo.c
index 42a40e8..cff179b 100644
--- a/src/xenfilt/fdo.c
+++ b/src/xenfilt/fdo.c
@@ -1160,7 +1160,7 @@ FdoQueryDeviceRelations(
     }
 
     Size = FIELD_OFFSET(DEVICE_RELATIONS, Objects) +
-           (sizeof (DEVICE_OBJECT) * __min(Count, 1));
+           (sizeof (PDEVICE_OBJECT) * __max(Count, 1));
 
     Relations = __AllocatePoolWithTag(PagedPool, Size, 'TLIF');
 
-- 
2.1.1


_______________________________________________
win-pv-devel mailing list
win-pv-devel@xxxxxxxxxxxxxxxxxxxx
http://lists.xenproject.org/cgi-bin/mailman/listinfo/win-pv-devel

References:
- [win-pv-devel] [PATCH 0/4] Various fixes and imrpovements...
  - From: Paul Durrant

Prev by Date: [win-pv-devel] [PATCH 1/4] Make it more obvious when per-CPU upcalls are not implemented...
Next by Date: [win-pv-devel] [PATCH 4/4] Fix fall-back to two-level EVTCHN ABI
Previous by thread: [win-pv-devel] [PATCH 1/4] Make it more obvious when per-CPU upcalls are not implemented...
Next by thread: [win-pv-devel] [PATCH 4/4] Fix fall-back to two-level EVTCHN ABI
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.