[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH] xen: fix potential integer overflow in queue_reply
On 18/01/16 16:38, David Vrabel wrote: > On 18/01/16 16:29, Insu Yun wrote: >> When len is greater than UINT_MAX - sizeof(*rb), in next allocation, >> it can overflow integer range and allocates small size of heap. >> After that, memcpy will overflow the allocated heap. >> Therefore, it needs to check the size of given length. > [...] >> --- a/drivers/xen/xenbus/xenbus_dev_frontend.c >> +++ b/drivers/xen/xenbus/xenbus_dev_frontend.c >> @@ -186,7 +186,7 @@ static int queue_reply(struct list_head *queue, const >> void *data, size_t len) >> { >> struct read_buffer *rb; >> >> - if (len == 0) >> + if (len == 0 || len >= UINT_MAX - sizeof(*rb)) > ^^^^^^^^^^^^^^^^^^^^^^ > Please check > > len > XENSTORE_PAYLOAD_MAX > > instead. And return -EINVAL in this case (not zero). David _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |