Commit 53fae6d2 authored by Bruce Rogers's avatar Bruce Rogers Committed by Anthony Liguori
Browse files

PATCH] slirp: fix buffer overrun 



Since the addition of the slirp member to struct mbuf, the value of
SLIRP_MSIZE and the initialization of m_size have not been correct,
resulting in overrunning the end of the malloc'd buffer in some cases.

Signed-off-by: default avatarBruce Rogers <brogers@novell.com>
Signed-off-by: default avatarAnthony Liguori <aliguori@us.ibm.com>
parent 0fbfbb59

slirp/mbuf.c

+2 −2
Original line number Diff line number Diff line
@@ -23,7 +23,7 @@ 
 * Find a nice value for msize

 * XXX if_maxlinkhdr already in mtu

 */

#define SLIRP_MSIZE (IF_MTU + IF_MAXLINKHDR + sizeof(struct m_hdr ) + 6)

#define SLIRP_MSIZE (IF_MTU + IF_MAXLINKHDR + offsetof(struct mbuf, m_dat) + 6)



void

m_init(Slirp *slirp)
@@ -65,7 +65,7 @@ m_get(Slirp *slirp) 
	m->m_flags = (flags | M_USEDLIST);



	/* Initialise it */

	m->m_size = SLIRP_MSIZE - sizeof(struct m_hdr);

	m->m_size = SLIRP_MSIZE - offsetof(struct m_hdr, m_dat);

	m->m_data = m->m_dat;

	m->m_len = 0;

        m->m_nextpkt = NULL;