From 52bf635da30c75d0fdb0a3e7e7b9a2483ca033fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Thu, 29 Jul 2021 04:55:59 -0400 Subject: [PATCH 05/14] Add mtod_check() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit RH-Author: Marc-André Lureau Message-id: <20210708082537.1550263-2-marcandre.lureau@redhat.com> Patchwork-id: 101819 O-Subject: [RHEL-8.5.0 qemu-kvm PATCH 1/8] Add mtod_check() Bugzilla: 1970819 1970835 1970843 1970853 RH-Acked-by: Stefano Garzarella RH-Acked-by: Eric Blake RH-Acked-by: Stefan Hajnoczi From: Marc-André Lureau Recent security issues demonstrate the lack of safety care when casting a mbuf to a particular structure type. At least, it should check that the buffer is large enough. The following patches will make use of this function. Signed-off-by: Marc-André Lureau (cherry picked from commit 93e645e72a056ec0b2c16e0299fc5c6b94e4ca17) Signed-off-by: Marc-André Lureau Signed-off-by: Miroslav Rezanina --- slirp/src/mbuf.c | 11 +++++++++++ slirp/src/mbuf.h | 1 + 2 files changed, 12 insertions(+) diff --git a/slirp/src/mbuf.c b/slirp/src/mbuf.c index 4fd62282a9..6d0653ed3d 100644 --- a/slirp/src/mbuf.c +++ b/slirp/src/mbuf.c @@ -222,3 +222,14 @@ struct mbuf *dtom(Slirp *slirp, void *dat) return (struct mbuf *)0; } + +void *mtod_check(struct mbuf *m, size_t len) +{ + if (m->m_len >= len) { + return m->m_data; + } + + DEBUG_ERROR("mtod failed"); + + return NULL; +} diff --git a/slirp/src/mbuf.h b/slirp/src/mbuf.h index 546e7852c5..2015e3232f 100644 --- a/slirp/src/mbuf.h +++ b/slirp/src/mbuf.h @@ -118,6 +118,7 @@ void m_inc(struct mbuf *, int); void m_adj(struct mbuf *, int); int m_copy(struct mbuf *, struct mbuf *, int, int); struct mbuf *dtom(Slirp *, void *); +void *mtod_check(struct mbuf *, size_t len); static inline void ifs_init(struct mbuf *ifm) { -- 2.27.0