mirror of
https://passt.top/passt
synced 2025-05-22 09:15:34 +02:00
packet: Avoid integer overflows in packet_get_do()
In packet_get_do() both offset and len are essentially untrusted. We do some validation of len (check it's < PACKET_MAX_LEN), but that's not enough to ensure that (len + offset) doesn't overflow. Rearrange our calculation to make sure it's safe regardless of the given offset & len values. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
David Gibson
Stefano Brivio
parent
c48331ca51
commit
37d9f374d9
1 changed files with 2 additions and 1 deletions
3
packet.c
3
packet.c
|
|
@ -144,7 +144,8 @@ void *packet_get_do(const struct pool *p, size_t idx, size_t offset,
|
|||
return NULL;
|
||||
}
|
||||
|
||||
if (len + offset > p->pkt[idx].iov_len) {
|
||||
if (offset > p->pkt[idx].iov_len ||
|
||||
len > (p->pkt[idx].iov_len - offset)) {
|
||||
if (func) {
|
||||
trace("data length %zu, offset %zu from length %zu, "
|
||||
"%s:%i", len, offset, p->pkt[idx].iov_len,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue