[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PULL 05/15] multifd: Be flexible about packet size
From: |
Peter Maydell |
Subject: |
Re: [Qemu-devel] [PULL 05/15] multifd: Be flexible about packet size |
Date: |
Tue, 26 Mar 2019 12:26:19 +0000 |
On Mon, 25 Mar 2019 at 18:13, Juan Quintela <address@hidden> wrote:
>
> This way we can change the packet size in the future and everything
> will work. We choose an arbitrary big number (100 times configured
> size) as a limit about how big we will reallocate.
>
> Signed-off-by: Juan Quintela <address@hidden>
> Reviewed-by: Dr. David Alan Gilbert <address@hidden>
> Signed-off-by: Juan Quintela <address@hidden>
> --
Hi; Coverity reports a use-after-free in this code
(CID 1400442):
> @@ -832,12 +832,24 @@ static int multifd_recv_unfill_packet(MultiFDRecvParams
> *p, Error **errp)
> p->flags = be32_to_cpu(packet->flags);
>
> packet->pages_alloc = be32_to_cpu(packet->pages_alloc);
> - if (packet->pages_alloc > page_count) {
> + /*
> + * If we recevied a packet that is 100 times bigger than expected
> + * just stop migration. It is a magic number.
> + */
> + if (packet->pages_alloc > pages_max * 100) {
> error_setg(errp, "multifd: received packet "
> - "with size %d and expected maximum size %d",
> - packet->pages_alloc, page_count) ;
> + "with size %d and expected a maximum size of %d",
> + packet->pages_alloc, pages_max * 100) ;
> return -1;
> }
> + /*
> + * We received a packet that is bigger than expected but inside
> + * reasonable limits (see previous comment). Just reallocate.
> + */
> + if (packet->pages_alloc > p->pages->allocated) {
> + multifd_pages_clear(p->pages);
multifd_pages_clear() calls g_free() on the pointer it is passed...
> + multifd_pages_init(packet->pages_alloc);
> + }
>
> p->pages->used = be32_to_cpu(packet->pages_used);
...but here we fall through and dereference p->pages, which
we might have just freed.
> if (p->pages->used > packet->pages_alloc) {
> --
> 2.20.1
thanks
-- PMM
- [Qemu-devel] [PULL 14/15] Migration/colo.c: Make user obtain the last COLO mode info after failover, (continued)
- [Qemu-devel] [PULL 14/15] Migration/colo.c: Make user obtain the last COLO mode info after failover, Juan Quintela, 2019/03/25
- [Qemu-devel] [PULL 09/15] migration: add support for a "tls-authz" migration parameter, Juan Quintela, 2019/03/25
- [Qemu-devel] [PULL 10/15] migration/rdma: Check qemu_rdma_init_one_block, Juan Quintela, 2019/03/25
- [Qemu-devel] [PULL 07/15] multifd: Add some padding, Juan Quintela, 2019/03/25
- [Qemu-devel] [PULL 02/15] multifd: Rename "size" member to pages_alloc, Juan Quintela, 2019/03/25
- [Qemu-devel] [PULL 12/15] Migration/colo.c: Add new COLOExitReason to handle all failover state, Juan Quintela, 2019/03/25
- [Qemu-devel] [PULL 11/15] Migration/colo.c: Fix COLO failover status error, Juan Quintela, 2019/03/25
- [Qemu-devel] [PULL 06/15] multifd: Change default packet size, Juan Quintela, 2019/03/25
- [Qemu-devel] [PULL 08/15] multifd: Drop x-, Juan Quintela, 2019/03/25
- [Qemu-devel] [PULL 05/15] multifd: Be flexible about packet size, Juan Quintela, 2019/03/25
- Re: [Qemu-devel] [PULL 05/15] multifd: Be flexible about packet size,
Peter Maydell <=
- [Qemu-devel] [PULL 03/15] multifd: Create new next_packet_size field, Juan Quintela, 2019/03/25
- [Qemu-devel] [PULL 01/15] multifd: Only send pages when packet are not empty, Juan Quintela, 2019/03/25
- [Qemu-devel] [PULL 04/15] multifd: Drop x-multifd-page-count parameter, Juan Quintela, 2019/03/25
- Re: [Qemu-devel] [PULL 00/15] Migration patches, Peter Maydell, 2019/03/26