[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH v2 3/6] tools/libxl: Avoid overrunning static buffer with prefixdata
From: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx> An individual datacopier_buf contains a static buffer of 1000 bytes. Attempting to add prefixdata of more than 1000 bytes would overrun the buffer and cause heap corruption. Instead, split the prefixdata and chain together multiple datacopier buffers. This allows for an arbitrary quantity of prefixdata to be added to a datacopier. Signed-off-by: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> CC: Ian Campbell <Ian.Campbell@xxxxxxxxxx> CC: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx> CC: Wei Liu <wei.liu2@xxxxxxxxxx> --- v2: Rewrite commit message. No code change --- tools/libxl/libxl_aoutils.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/tools/libxl/libxl_aoutils.c b/tools/libxl/libxl_aoutils.c index 3e0c0ae..6882ca3 100644 --- a/tools/libxl/libxl_aoutils.c +++ b/tools/libxl/libxl_aoutils.c @@ -160,6 +160,8 @@ void libxl__datacopier_prefixdata(libxl__egc *egc, libxl__datacopier_state *dc, { EGC_GC; libxl__datacopier_buf *buf; + const uint8_t *ptr; + /* * It is safe for this to be called immediately after _start, as * is documented in the public comment. _start's caller must have @@ -170,12 +172,14 @@ void libxl__datacopier_prefixdata(libxl__egc *egc, libxl__datacopier_state *dc, assert(len < dc->maxsz - dc->used); - buf = libxl__zalloc(NOGC, sizeof(*buf)); - buf->used = len; - memcpy(buf->buf, data, len); + for (ptr = data; len; len -= buf->used, ptr += buf->used) { + buf = libxl__malloc(NOGC, sizeof(*buf)); + buf->used = min(len, sizeof(buf->buf)); + memcpy(buf->buf, ptr, buf->used); - dc->used += len; - LIBXL_TAILQ_INSERT_TAIL(&dc->bufs, buf, entry); + dc->used += buf->used; + LIBXL_TAILQ_INSERT_TAIL(&dc->bufs, buf, entry); + } } static int datacopier_pollhup_handled(libxl__egc *egc, -- 1.7.10.4 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |