[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] Fix for a malloc heap corruption problem in the

From: Fabrice Bellard
Subject: Re: [Qemu-devel] [PATCH] Fix for a malloc heap corruption problem in the slirp network code
Date: Sun, 05 Jun 2005 19:23:33 +0200
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20040913

Juergen Keil wrote:
Compiling inside a NetBSD 1.5 qemu guest OS (source files are located
on an NFS filesystem mounted from the Solaris host OS) crashes qemu
with a malloc heap corruption error, when the slirp user mode
networking code is in use.

Using the "electric fence" memory allocator, the location of the data
corruption can be narrowed down to the destination address in the memcpy
call in slirp/mbuf.c, function m_cat():

    m_cat(m, n)
        register struct mbuf *m, *n;
         * If there's no room, realloc
        if (M_FREEROOM(m) < n->m_len)

First this code is incorrect : it increases the size by MINCSIZE which can be smaller than the required size.

memcpy(m->m_data+m->m_len, n->m_data, n->m_len); <<<< this memcpy corrupts the malloc

The problem is apparently in m_inc(), when an mbuf with an external
data buffer is resized.  After resizing the mbuf, the m_data member
still points into the old buffer, before is was reallocated.  For some
reason, the code to re-adjust the m_data pointer is present in the M_EXT
case in m_inc(), but is commented out. (With a bit of luck, realloc
might be able to adjust the size of the memory block in place; but
slirp shouldn't rely on this)

Fix: Adjust mbuf->m_data after a realloc of the external data buffer

OK. Does someone knows why this code was suppressed ?


reply via email to

[Prev in Thread] Current Thread [Next in Thread]