qemu/slirp
Peter Maydell 09b94ac0f2 slirp: Correct size check in m_inc()
The data in an mbuf buffer is not necessarily at the start of the
allocated buffer. (For instance m_adj() allows data to be trimmed
from the start by just advancing the pointer and reducing the length.)
This means that the allocated buffer size (m->m_size) and the
amount of space from the m_data pointer to the end of the
buffer (M_ROOM(m)) are not necessarily the same.

Commit 864036e251 tried to change the m_inc() function from
taking the new allocated-buffer-size to taking the new room-size,
but forgot to change the initial "do we already have enough space"
check. This meant that if we were trying to extend a buffer which
had a leading gap between the buffer start and the data, we might
incorrectly decide it didn't need to be extended, and then
overrun the end of the buffer, causing memory corruption and
an eventual crash.

Change the "already big enough?" condition from checking the
argument against m->m_size to checking against M_ROOM().
This only makes a difference for the callsite in m_cat();
the other three callsites all start with a freshly allocated
mbuf from m_get(), which will have m->m_size == M_ROOM(m).

Fixes: 864036e251
Fixes: https://bugs.launchpad.net/qemu/+bug/1785670
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-id: 20180807114501.12370-1-peter.maydell@linaro.org
Tested-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
2018-08-07 14:13:22 +01:00
..
arp_table.c slirp/debug: Print IP addresses in human readable form 2018-05-31 21:19:24 +02:00
bootp.c slirp: Add domainname option to slirp's DHCP server 2018-05-31 21:19:08 +02:00
bootp.h Clean up decorations and whitespace around header guards 2016-07-12 16:20:46 +02:00
cksum.c Use #include "..." for our own headers, <...> for others 2016-07-12 16:19:16 +02:00
COPYRIGHT Remove the advertising clause from the slirp license 2009-01-26 19:37:41 +00:00
debug.h slirp: Cleanup and basic reanimation of debug code 2009-06-29 08:52:46 -05:00
dhcpv6.c slirp, disas: Replace min/max with MIN/MAX macros 2016-12-20 23:55:19 +01:00
dhcpv6.h slirp: add in6_dhcp_multicast() 2018-01-14 18:16:13 +01:00
dnssearch.c slirp: Use DIV_ROUND_UP 2016-06-07 18:19:25 +03:00
if.c slirp: Add a special case for the NULL socket 2017-09-24 20:04:09 +02:00
if.h Clean up ill-advised or unusual header guards 2016-07-12 16:20:46 +02:00
ip6_icmp.c slirp: avoid IN6_IS_ADDR_UNSPECIFIED(), rather use in6_zero() 2018-01-14 18:16:13 +01:00
ip6_icmp.h Clean up header guards that don't match their file name 2016-07-12 16:19:16 +02:00
ip6_input.c slirp: Allow disabling IPv4 or IPv6 2016-04-01 17:51:55 +02:00
ip6_output.c slirp: Adding IPv6, ICMPv6 Echo and NDP autoconfiguration 2016-03-15 10:35:00 +01:00
ip6.h slirp: use DIV_ROUND_UP 2017-07-15 14:28:25 +02:00
ip_icmp.c slirp: fix pinging the virtual ipv4 DNS server 2017-04-29 18:29:58 +02:00
ip_icmp.h Clean up ill-advised or unusual header guards 2016-07-12 16:20:46 +02:00
ip_input.c Use #include "..." for our own headers, <...> for others 2016-07-12 16:19:16 +02:00
ip_output.c Use #include "..." for our own headers, <...> for others 2016-07-12 16:19:16 +02:00
ip.h slirp: removed unused code 2018-01-14 18:16:13 +01:00
libslirp.h slirp: Add domainname option to slirp's DHCP server 2018-05-31 21:19:08 +02:00
main.h Clean up decorations and whitespace around header guards 2016-07-12 16:20:46 +02:00
Makefile.objs slirp: add a fake NC-SI backend 2017-04-25 19:17:25 +08:00
mbuf.c slirp: Correct size check in m_inc() 2018-08-07 14:13:22 +01:00
mbuf.h slirp: correct size computation while concatenating mbuf 2018-06-08 09:08:30 +03:00
misc.c slirp: fork_exec(): Don't close() a negative number in fork_exec() 2017-07-15 14:28:25 +02:00
misc.h Clean up ill-advised or unusual header guards 2016-07-12 16:20:46 +02:00
ncsi-pkt.h slirp: add a fake NC-SI backend 2017-04-25 19:17:25 +08:00
ncsi.c slirp/ncsi: add checksum support 2018-05-31 21:19:24 +02:00
ndp_table.c slirp: avoid IN6_IS_ADDR_UNSPECIFIED(), rather use in6_zero() 2018-01-14 18:16:13 +01:00
sbuf.c slirp: Handle error returns from sosendoob() 2017-07-15 14:28:25 +02:00
sbuf.h slirp: VMStatify sbuf 2017-04-29 18:44:16 +02:00
slirp_config.h slirp: Remove obsolete backward-compatibility cruft 2016-05-16 20:58:47 +02:00
slirp.c slirp: Send window updates to guest after window was closed 2018-05-31 21:19:24 +02:00
slirp.h slirp: Add domainname option to slirp's DHCP server 2018-05-31 21:19:08 +02:00
socket.c slirp: Fix spurious error report when sending directly 2018-06-01 16:45:49 +02:00
socket.h slirp: VMStatify socket level 2017-04-29 18:44:16 +02:00
tcp_input.c slirp: Fix wrong mss bug. 2017-05-27 23:34:47 +02:00
tcp_output.c slirp, disas: Replace min/max with MIN/MAX macros 2016-12-20 23:55:19 +01:00
tcp_subr.c slirp: disable Nagle in outgoing connections 2018-05-31 21:19:24 +02:00
tcp_timer.c slirp, disas: Replace min/max with MIN/MAX macros 2016-12-20 23:55:19 +01:00
tcp_timer.h Clean up ill-advised or unusual header guards 2016-07-12 16:20:46 +02:00
tcp_var.h slirp: VMState conversion; tcpcb 2017-04-29 18:44:16 +02:00
tcp.h Clean up ill-advised or unusual header guards 2016-07-12 16:20:46 +02:00
tcpip.h slirp, disas: Replace min/max with MIN/MAX macros 2016-12-20 23:55:19 +01:00
tftp.c slirp: tftp, copy sockaddr_size 2017-04-29 18:29:58 +02:00
tftp.h slirp: support dynamic block size for TFTP transfers 2016-12-21 00:02:15 +01:00
udp6.c slirp: add in6_dhcp_multicast() 2018-01-14 18:16:13 +01:00
udp.c slirp/debug: Print IP addresses in human readable form 2018-05-20 08:25:23 +03:00
udp.h Clean up ill-advised or unusual header guards 2016-07-12 16:20:46 +02:00