diff options
author | Bruce Rogers <brogers@novell.com> | 2011-02-05 14:47:56 -0700 |
---|---|---|
committer | Anthony Liguori <aliguori@us.ibm.com> | 2011-02-14 13:23:00 -0600 |
commit | 53fae6d27f342a17bdc218dc51ccccebd99f3545 (patch) | |
tree | 4e5763726615ff65df9eb09978e98eaef0d4f997 /slirp | |
parent | 0fbfbb59a9766247be20023b17eb7872e7b29323 (diff) | |
download | qemu-53fae6d27f342a17bdc218dc51ccccebd99f3545.tar.gz qemu-53fae6d27f342a17bdc218dc51ccccebd99f3545.tar.bz2 qemu-53fae6d27f342a17bdc218dc51ccccebd99f3545.zip |
PATCH] slirp: fix buffer overrun
Since the addition of the slirp member to struct mbuf, the value of
SLIRP_MSIZE and the initialization of m_size have not been correct,
resulting in overrunning the end of the malloc'd buffer in some cases.
Signed-off-by: Bruce Rogers <brogers@novell.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Diffstat (limited to 'slirp')
-rw-r--r-- | slirp/mbuf.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/slirp/mbuf.c b/slirp/mbuf.c index 87508ba013..eadc802241 100644 --- a/slirp/mbuf.c +++ b/slirp/mbuf.c @@ -23,7 +23,7 @@ * Find a nice value for msize * XXX if_maxlinkhdr already in mtu */ -#define SLIRP_MSIZE (IF_MTU + IF_MAXLINKHDR + sizeof(struct m_hdr ) + 6) +#define SLIRP_MSIZE (IF_MTU + IF_MAXLINKHDR + offsetof(struct mbuf, m_dat) + 6) void m_init(Slirp *slirp) @@ -65,7 +65,7 @@ m_get(Slirp *slirp) m->m_flags = (flags | M_USEDLIST); /* Initialise it */ - m->m_size = SLIRP_MSIZE - sizeof(struct m_hdr); + m->m_size = SLIRP_MSIZE - offsetof(struct m_hdr, m_dat); m->m_data = m->m_dat; m->m_len = 0; m->m_nextpkt = NULL; |