summaryrefslogtreecommitdiff
path: root/slirp
diff options
context:
space:
mode:
authorBruce Rogers <brogers@novell.com>2011-02-05 14:47:56 -0700
committerAnthony Liguori <aliguori@us.ibm.com>2011-02-14 13:23:00 -0600
commit53fae6d27f342a17bdc218dc51ccccebd99f3545 (patch)
tree4e5763726615ff65df9eb09978e98eaef0d4f997 /slirp
parent0fbfbb59a9766247be20023b17eb7872e7b29323 (diff)
downloadqemu-53fae6d27f342a17bdc218dc51ccccebd99f3545.tar.gz
qemu-53fae6d27f342a17bdc218dc51ccccebd99f3545.tar.bz2
qemu-53fae6d27f342a17bdc218dc51ccccebd99f3545.zip
PATCH] slirp: fix buffer overrun
Since the addition of the slirp member to struct mbuf, the value of SLIRP_MSIZE and the initialization of m_size have not been correct, resulting in overrunning the end of the malloc'd buffer in some cases. Signed-off-by: Bruce Rogers <brogers@novell.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Diffstat (limited to 'slirp')
-rw-r--r--slirp/mbuf.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/slirp/mbuf.c b/slirp/mbuf.c
index 87508ba013..eadc802241 100644
--- a/slirp/mbuf.c
+++ b/slirp/mbuf.c
@@ -23,7 +23,7 @@
* Find a nice value for msize
* XXX if_maxlinkhdr already in mtu
*/
-#define SLIRP_MSIZE (IF_MTU + IF_MAXLINKHDR + sizeof(struct m_hdr ) + 6)
+#define SLIRP_MSIZE (IF_MTU + IF_MAXLINKHDR + offsetof(struct mbuf, m_dat) + 6)
void
m_init(Slirp *slirp)
@@ -65,7 +65,7 @@ m_get(Slirp *slirp)
m->m_flags = (flags | M_USEDLIST);
/* Initialise it */
- m->m_size = SLIRP_MSIZE - sizeof(struct m_hdr);
+ m->m_size = SLIRP_MSIZE - offsetof(struct m_hdr, m_dat);
m->m_data = m->m_dat;
m->m_len = 0;
m->m_nextpkt = NULL;