From 8cb4d202d4e5713e9b2b5f0ec817234941623f10 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Fri, 4 Jun 2021 15:58:25 +0400 Subject: [PATCH 1/6] Add mtod_check() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Recent security issues demonstrate the lack of safety care when casting a mbuf to a particular structure type. At least, it should check that the buffer is large enough. The following patches will make use of this function. Signed-off-by: Marc-André Lureau Signed-off-by: imxcc --- slirp/src/mbuf.c | 11 +++++++++++ slirp/src/mbuf.h | 1 + 2 files changed, 12 insertions(+) diff --git a/slirp/src/mbuf.c b/slirp/src/mbuf.c index 4fd62282..6d0653ed 100644 --- a/slirp/src/mbuf.c +++ b/slirp/src/mbuf.c @@ -222,3 +222,14 @@ struct mbuf *dtom(Slirp *slirp, void *dat) return (struct mbuf *)0; } + +void *mtod_check(struct mbuf *m, size_t len) +{ + if (m->m_len >= len) { + return m->m_data; + } + + DEBUG_ERROR("mtod failed"); + + return NULL; +} diff --git a/slirp/src/mbuf.h b/slirp/src/mbuf.h index 546e7852..2015e323 100644 --- a/slirp/src/mbuf.h +++ b/slirp/src/mbuf.h @@ -118,6 +118,7 @@ void m_inc(struct mbuf *, int); void m_adj(struct mbuf *, int); int m_copy(struct mbuf *, struct mbuf *, int, int); struct mbuf *dtom(Slirp *, void *); +void *mtod_check(struct mbuf *, size_t len); static inline void ifs_init(struct mbuf *ifm) { -- 2.27.0