]> rtime.felk.cvut.cz Git - lisovros/qemu_apohw.git/commitdiff
rdma: validate RDMAControlHeader::len
authorIsaku Yamahata <yamahata@private.email.ne.jp>
Fri, 9 Aug 2013 20:05:41 +0000 (16:05 -0400)
committerAnthony Liguori <aliguori@us.ibm.com>
Mon, 12 Aug 2013 14:31:15 +0000 (09:31 -0500)
RMDAControlHeader::len is provided from remote, so validate it.

Reviewed-by: Orit Wasserman <owasserm@redhat.com>
Reviewed-by: Michael R. Hines <mrhines@us.ibm.com>
Signed-off-by: Isaku Yamahata <yamahata@private.email.ne.jp>
Signed-off-by: Michael R. Hines <mrhines@us.ibm.com>
Message-id: 1376078746-24948-3-git-send-email-mrhines@linux.vnet.ibm.com
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
migration-rdma.c

index 672126676cca91ad599ad8250dde73e396d8197f..ebe1f5526373a6221094d6dbeab4e93dbabf3dcb 100644 (file)
@@ -1424,6 +1424,7 @@ static int qemu_rdma_post_send_control(RDMAContext *rdma, uint8_t *buf,
      * The copy makes the RDMAControlHeader simpler to manipulate
      * for the time being.
      */
+    assert(head->len <= RDMA_CONTROL_MAX_BUFFER - sizeof(*head));
     memcpy(wr->control, head, sizeof(RDMAControlHeader));
     control_to_network((void *) wr->control);
 
@@ -1504,6 +1505,10 @@ static int qemu_rdma_exchange_get_response(RDMAContext *rdma,
                 control_desc[head->type], head->type, head->len);
         return -EIO;
     }
+    if (head->len > RDMA_CONTROL_MAX_BUFFER - sizeof(*head)) {
+        fprintf(stderr, "too long length: %d\n", head->len);
+        return -EINVAL;
+    }
 
     return 0;
 }