[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] xen: fix potential integer overflow in queue_reply

On 18/01/16 16:29, Insu Yun wrote:
> When len is greater than UINT_MAX - sizeof(*rb), in next allocation,
> it can overflow integer range and allocates small size of heap.
> After that, memcpy will overflow the allocated heap.
> Therefore, it needs to check the size of given length.
[...]
> --- a/drivers/xen/xenbus/xenbus_dev_frontend.c
> +++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
> @@ -186,7 +186,7 @@ static int queue_reply(struct list_head *queue, const 
> void *data, size_t len)
>  {
>       struct read_buffer *rb;
>  
> -     if (len == 0)
> +     if (len == 0 || len >= UINT_MAX - sizeof(*rb))
                               ^^^^^^^^^^^^^^^^^^^^^^
Please check

    len > XENSTORE_PAYLOAD_MAX

instead.

David

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.