[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL v2 18/24] linux-user: don't swap NLMSG_DATA() fields
From: |
riku . voipio |
Subject: |
[Qemu-devel] [PULL v2 18/24] linux-user: don't swap NLMSG_DATA() fields |
Date: |
Tue, 28 Jun 2016 22:12:52 +0300 |
From: Laurent Vivier <address@hidden>
If the structure pointed by NLMSG_DATA() is bigger
than the size of NLMSG_DATA(), don't swap its fields
to avoid memory corruption.
Signed-off-by: Laurent Vivier <address@hidden>
Signed-off-by: Riku Voipio <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
---
linux-user/syscall.c | 72 ++++++++++++++++++++++++++++++----------------------
1 file changed, 42 insertions(+), 30 deletions(-)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 4b0d791..d3d7ee6 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -1948,29 +1948,35 @@ static abi_long host_to_target_data_route(struct
nlmsghdr *nlh)
case RTM_NEWLINK:
case RTM_DELLINK:
case RTM_GETLINK:
- ifi = NLMSG_DATA(nlh);
- ifi->ifi_type = tswap16(ifi->ifi_type);
- ifi->ifi_index = tswap32(ifi->ifi_index);
- ifi->ifi_flags = tswap32(ifi->ifi_flags);
- ifi->ifi_change = tswap32(ifi->ifi_change);
- host_to_target_link_rtattr(IFLA_RTA(ifi),
- nlmsg_len - NLMSG_LENGTH(sizeof(*ifi)));
+ if (nlh->nlmsg_len >= NLMSG_LENGTH(sizeof(*ifi))) {
+ ifi = NLMSG_DATA(nlh);
+ ifi->ifi_type = tswap16(ifi->ifi_type);
+ ifi->ifi_index = tswap32(ifi->ifi_index);
+ ifi->ifi_flags = tswap32(ifi->ifi_flags);
+ ifi->ifi_change = tswap32(ifi->ifi_change);
+ host_to_target_link_rtattr(IFLA_RTA(ifi),
+ nlmsg_len - NLMSG_LENGTH(sizeof(*ifi)));
+ }
break;
case RTM_NEWADDR:
case RTM_DELADDR:
case RTM_GETADDR:
- ifa = NLMSG_DATA(nlh);
- ifa->ifa_index = tswap32(ifa->ifa_index);
- host_to_target_addr_rtattr(IFA_RTA(ifa),
- nlmsg_len - NLMSG_LENGTH(sizeof(*ifa)));
+ if (nlh->nlmsg_len >= NLMSG_LENGTH(sizeof(*ifa))) {
+ ifa = NLMSG_DATA(nlh);
+ ifa->ifa_index = tswap32(ifa->ifa_index);
+ host_to_target_addr_rtattr(IFA_RTA(ifa),
+ nlmsg_len - NLMSG_LENGTH(sizeof(*ifa)));
+ }
break;
case RTM_NEWROUTE:
case RTM_DELROUTE:
case RTM_GETROUTE:
- rtm = NLMSG_DATA(nlh);
- rtm->rtm_flags = tswap32(rtm->rtm_flags);
- host_to_target_route_rtattr(RTM_RTA(rtm),
- nlmsg_len - NLMSG_LENGTH(sizeof(*rtm)));
+ if (nlh->nlmsg_len >= NLMSG_LENGTH(sizeof(*rtm))) {
+ rtm = NLMSG_DATA(nlh);
+ rtm->rtm_flags = tswap32(rtm->rtm_flags);
+ host_to_target_route_rtattr(RTM_RTA(rtm),
+ nlmsg_len -
NLMSG_LENGTH(sizeof(*rtm)));
+ }
break;
default:
return -TARGET_EINVAL;
@@ -2086,30 +2092,36 @@ static abi_long target_to_host_data_route(struct
nlmsghdr *nlh)
break;
case RTM_NEWLINK:
case RTM_DELLINK:
- ifi = NLMSG_DATA(nlh);
- ifi->ifi_type = tswap16(ifi->ifi_type);
- ifi->ifi_index = tswap32(ifi->ifi_index);
- ifi->ifi_flags = tswap32(ifi->ifi_flags);
- ifi->ifi_change = tswap32(ifi->ifi_change);
- target_to_host_link_rtattr(IFLA_RTA(ifi), nlh->nlmsg_len -
- NLMSG_LENGTH(sizeof(*ifi)));
+ if (nlh->nlmsg_len >= NLMSG_LENGTH(sizeof(*ifi))) {
+ ifi = NLMSG_DATA(nlh);
+ ifi->ifi_type = tswap16(ifi->ifi_type);
+ ifi->ifi_index = tswap32(ifi->ifi_index);
+ ifi->ifi_flags = tswap32(ifi->ifi_flags);
+ ifi->ifi_change = tswap32(ifi->ifi_change);
+ target_to_host_link_rtattr(IFLA_RTA(ifi), nlh->nlmsg_len -
+ NLMSG_LENGTH(sizeof(*ifi)));
+ }
break;
case RTM_GETADDR:
case RTM_NEWADDR:
case RTM_DELADDR:
- ifa = NLMSG_DATA(nlh);
- ifa->ifa_index = tswap32(ifa->ifa_index);
- target_to_host_addr_rtattr(IFA_RTA(ifa), nlh->nlmsg_len -
- NLMSG_LENGTH(sizeof(*ifa)));
+ if (nlh->nlmsg_len >= NLMSG_LENGTH(sizeof(*ifa))) {
+ ifa = NLMSG_DATA(nlh);
+ ifa->ifa_index = tswap32(ifa->ifa_index);
+ target_to_host_addr_rtattr(IFA_RTA(ifa), nlh->nlmsg_len -
+ NLMSG_LENGTH(sizeof(*ifa)));
+ }
break;
case RTM_GETROUTE:
break;
case RTM_NEWROUTE:
case RTM_DELROUTE:
- rtm = NLMSG_DATA(nlh);
- rtm->rtm_flags = tswap32(rtm->rtm_flags);
- target_to_host_route_rtattr(RTM_RTA(rtm), nlh->nlmsg_len -
- NLMSG_LENGTH(sizeof(*rtm)));
+ if (nlh->nlmsg_len >= NLMSG_LENGTH(sizeof(*rtm))) {
+ rtm = NLMSG_DATA(nlh);
+ rtm->rtm_flags = tswap32(rtm->rtm_flags);
+ target_to_host_route_rtattr(RTM_RTA(rtm), nlh->nlmsg_len -
+ NLMSG_LENGTH(sizeof(*rtm)));
+ }
break;
default:
return -TARGET_EOPNOTSUPP;
--
2.1.4
- [Qemu-devel] [PULL v2 06/24] configure: Don't allow user-only targets for unknown CPU architectures, (continued)
- [Qemu-devel] [PULL v2 06/24] configure: Don't allow user-only targets for unknown CPU architectures, riku . voipio, 2016/06/28
- [Qemu-devel] [PULL v2 07/24] user-exec: Delete now-unused hppa and m68k cpu_signal_handler() code, riku . voipio, 2016/06/28
- [Qemu-devel] [PULL v2 11/24] linux-user: Support F_GETPIPE_SZ and F_SETPIPE_SZ fcntls, riku . voipio, 2016/06/28
- [Qemu-devel] [PULL v2 09/24] linux-user: Create a hostdep.h for each host architecture, riku . voipio, 2016/06/28
- [Qemu-devel] [PULL v2 10/24] linux-user: Fix wrong type used for argument to rt_sigqueueinfo, riku . voipio, 2016/06/28
- [Qemu-devel] [PULL v2 13/24] linux-user: add socket() strace, riku . voipio, 2016/06/28
- [Qemu-devel] [PULL v2 15/24] linux-user: update get_thread_area/set_thread_area strace, riku . voipio, 2016/06/28
- [Qemu-devel] [PULL v2 14/24] linux-user: fix clone() strace, riku . voipio, 2016/06/28
- [Qemu-devel] [PULL v2 12/24] linux-user: add socketcall() strace, riku . voipio, 2016/06/28
- [Qemu-devel] [PULL v2 17/24] linux-user: fd_trans_host_to_target_data() must process only received data, riku . voipio, 2016/06/28
- [Qemu-devel] [PULL v2 18/24] linux-user: don't swap NLMSG_DATA() fields,
riku . voipio <=
- [Qemu-devel] [PULL v2 16/24] linux-user: add missing return in netlink switch statement, riku . voipio, 2016/06/28
- [Qemu-devel] [PULL v2 21/24] linux-user: Provide safe_syscall for arm, riku . voipio, 2016/06/28
- [Qemu-devel] [PULL v2 20/24] linux-user: Provide safe_syscall for i386, riku . voipio, 2016/06/28
- [Qemu-devel] [PULL v2 22/24] linux-user: Provide safe_syscall for aarch64, riku . voipio, 2016/06/28
- [Qemu-devel] [PULL v2 24/24] linux-user: Provide safe_syscall for ppc64, riku . voipio, 2016/06/28
- [Qemu-devel] [PULL v2 19/24] linux-user: fix x86_64 safe_syscall, riku . voipio, 2016/06/28
- [Qemu-devel] [PULL v2 23/24] linux-user: Provide safe_syscall for s390x, riku . voipio, 2016/06/28
- Re: [Qemu-devel] [PULL v2 00/24] linux-user changes for v2.7, Peter Maydell, 2016/06/29