On 18/01/16 16:38, David Vrabel wrote:
> On 18/01/16 16:29, Insu Yun wrote:
>> When len is greater than UINT_MAX - sizeof(*rb), in next allocation,
>> it can overflow integer range and allocates small size of heap.
>> After that, memcpy will overflow the allocated heap.
>> Therefore, it needs to check the size of given length.
> [...]
>> --- a/drivers/xen/xenbus/xenbus_dev_frontend.c
>> +++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
>> @@ -186,7 +186,7 @@ static int queue_reply(struct list_head *queue, const
>> void *data, size_t len)
>> {
>> struct read_buffer *rb;
>>
>> - if (len == 0)
>> + if (len == 0 || len >= UINT_MAX - sizeof(*rb))
> ^^^^^^^^^^^^^^^^^^^^^^
> Please check
>
> len > XENSTORE_PAYLOAD_MAX
>
> instead.
And return -EINVAL in this case (not zero).
David
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
