Re: [PATCH v11 06/19] multi-process: define MPQemuMsg format and transmi

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v11 06/19] multi-process: define MPQemuMsg format and transmi

From:	Stefan Hajnoczi
Subject:	Re: [PATCH v11 06/19] multi-process: define MPQemuMsg format and transmission functions
Date:	Fri, 23 Oct 2020 14:53:24 +0100

On Thu, Oct 15, 2020 at 02:04:59PM -0400, Jagannathan Raman wrote:
> +void mpqemu_msg_recv(MPQemuMsg *msg, QIOChannel *ioc, Error **errp)
> +{
> +    Error *local_err = NULL;
> +    int *fds = NULL;
> +    size_t nfds = 0;
> +    ssize_t len;
> +
> +    len = mpqemu_read(ioc, (void *)msg, MPQEMU_MSG_HDR_SIZE, &fds, &nfds,
> +                      &local_err);
> +    if (!local_err) {
> +        if (len == -EIO) {
> +            error_setg(&local_err, "Connection closed.");
> +            goto fail;
> +        }
> +        if (len < 0) {
> +            error_setg(&local_err, "Message length is less than 0");
> +            goto fail;
> +        }
> +        if (len != MPQEMU_MSG_HDR_SIZE) {
> +            error_setg(&local_err, "Message header corrupted");
> +            goto fail;
> +        }
> +    } else {
> +        goto fail;
> +    }
> +
> +    if (msg->size > sizeof(msg->data)) {
> +        error_setg(&local_err, "Invalid size for message");
> +        goto fail;
> +    }
> +
> +    if (mpqemu_read(ioc, (void *)&msg->data, msg->size, NULL, NULL,
> +                    &local_err) < 0) {
> +        goto fail;
> +    }
> +
> +    msg->num_fds = nfds;
> +    if (nfds) {
> +        memcpy(msg->fds, fds, nfds * sizeof(int));

I can't find anything that limits nfds to REMOTE_MAX_FDS. This looks
like a buffer overflow.

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH v11 09/19] multi-process: setup memory manager for remote device, (continued)
- [PATCH v11 09/19] multi-process: setup memory manager for remote device, Jagannathan Raman, 2020/10/15
- [PATCH v11 13/19] multi-process: PCI BAR read/write handling for proxy & remote endpoints, Jagannathan Raman, 2020/10/15
- [PATCH v11 05/19] multi-process: add qio channel function to transmit, Jagannathan Raman, 2020/10/15
  - Re: [PATCH v11 05/19] multi-process: add qio channel function to transmit, Philippe Mathieu-Daudé, 2020/10/23
- [PATCH v11 16/19] multi-process: Retrieve PCI info from remote process, Jagannathan Raman, 2020/10/15
- [PATCH v11 17/19] multi-process: perform device reset in the remote process, Jagannathan Raman, 2020/10/15
- [PATCH v11 14/19] multi-process: Synchronize remote memory, Jagannathan Raman, 2020/10/15
- [PATCH v11 19/19] multi-process: add configure and usage information, Jagannathan Raman, 2020/10/15
- [PATCH v11 15/19] multi-process: create IOHUB object to handle irq, Jagannathan Raman, 2020/10/15
- [PATCH v11 06/19] multi-process: define MPQemuMsg format and transmission functions, Jagannathan Raman, 2020/10/15
  - Re: [PATCH v11 06/19] multi-process: define MPQemuMsg format and transmission functions, Stefan Hajnoczi <=
- [PATCH v11 07/19] multi-process: Initialize message handler in remote device, Jagannathan Raman, 2020/10/15
- [PATCH v11 18/19] multi-process: add the concept description to docs/devel/qemu-multiprocess, Jagannathan Raman, 2020/10/15
- Re: [PATCH v11 00/19] Initial support for multi-process Qemu, Stefan Hajnoczi, 2020/10/23

Prev by Date: Re: [RFC] Using gitlab for upstream qemu repo?
Next by Date: Re: [PATCH v11 08/19] multi-process: Associate fd of a PCIDevice with its object
Previous by thread: [PATCH v11 06/19] multi-process: define MPQemuMsg format and transmission functions
Next by thread: [PATCH v11 07/19] multi-process: Initialize message handler in remote device
Index(es):
- Date
- Thread