On Mon, 29 Jan 2018 21:14:31 +0000 Stefan Hajnoczi <stefa...@gmail.com> wrote:
> On Wed, Jan 24, 2018 at 12:39:23AM +0100, Greg Kurz wrote:
> > +/* size[4] Twrite tag[2] fid[4] offset[8] count[4] data[count] */
> > +static P9Req *v9fs_twrite(QVirtIO9P *v9p, uint32_t fid, uint64_t offset,
> > + uint32_t count, const void *data, uint16_t tag)
> > +{
> > + P9Req *req;
> > +
> > + req = v9fs_req_init(v9p, 4 + 8 + 4 + count, P9_TWRITE, tag);
>
> (uint32_t)(4 + 8 + 4 + (uint32_t)count) can overflow. I didn't look
> closely at the code and it's just a test case, but it seems safer to use
> types that avoid overflows or to handle them explicitly.
>
> It may not be an issue in a test case, but if someone copy pastes this
> code it could become a security issue.
You're right. I'll add something like:
uint32_t body_size = 4 + 8 + 4;
g_assert_cmpint(body_size, <=, UINT32_MAX - count);
and I now realize that several other places in this file need
a similar change.
pgpLZKL0akhzX.pgp
Description: OpenPGP digital signature
