Fix unsigned integer underflow in fd-trans.c - focaccia-qemu - Unnamed repository; edit this file 'description' to name the repository.

diff options

author	Shu-Chun Weng <scw@google.com>	2019-10-17 17:19:20 -0700
committer	Laurent Vivier <laurent@vivier.eu>	2019-10-21 11:34:18 +0200
commit	1645fb5a1e537f85eda744bfa6e9d3dda047ba28 (patch)
tree	688a4ab68f99f102371dac1a53df1ade304fa9da /util/qemu-coroutine-sleep.c
parent	53bdbfdf5326ad453b307c5b4bb9e71aeab29cf3 (diff)
download	focaccia-qemu-1645fb5a1e537f85eda744bfa6e9d3dda047ba28.tar.gz focaccia-qemu-1645fb5a1e537f85eda744bfa6e9d3dda047ba28.zip

Fix unsigned integer underflow in fd-trans.c

In any of these `*_for_each_*` functions, the last entry in the buffer (so the
"remaining length in the buffer" `len` is equal to the length of the
entry `nlmsg_len`/`nla_len`/etc) has size that is not a multiple of the
alignment, the aligned lengths `*_ALIGN(*_len)` will be greater than `len`.
Since `len` is unsigned (`size_t`), it underflows and the loop will read
pass the buffer.

This may manifest as random EINVAL or EOPNOTSUPP error on IO or network
system calls.

Signed-off-by: Shu-Chun Weng <scw@google.com>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Message-Id: <20191018001920.178283-1-scw@google.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>

Diffstat (limited to 'util/qemu-coroutine-sleep.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: