rdma: validate RDMAControlHeader::len

RMDAControlHeader::len is provided from remote, so validate it. Reviewed-by: N Orit Wasserman <owasserm@redhat.com> Reviewed-by: N Michael R. Hines <mrhines@us.ibm.com> Signed-off-by: N Isaku Yamahata <yamahata@private.email.ne.jp> Signed-off-by: N Michael R. Hines <mrhines@us.ibm.com> Message-id: 1376078746-24948-3-git-send-email-mrhines@linux.vnet.ibm.com Signed-off-by: N Anthony Liguori <aliguori@us.ibm.com>

rdma: validate RDMAControlHeader::len
RMDAControlHeader::len is provided from remote, so validate it. Reviewed-by: N Orit Wasserman <owasserm@redhat.com> Reviewed-by: N Michael R. Hines <mrhines@us.ibm.com> Signed-off-by: N Isaku Yamahata <yamahata@private.email.ne.jp> Signed-off-by: N Michael R. Hines <mrhines@us.ibm.com> Message-id: 1376078746-24948-3-git-send-email-mrhines@linux.vnet.ibm.com Signed-off-by: N Anthony Liguori <aliguori@us.ibm.com>
6f1484ed · Isaku Yamahata · Anthony Liguori · 885e8f98 · 6f1484ed
隐藏空白更改
内联并排

Showing with 5 addition and 0 deletion

migration-rdma.c migration-rdma.c +5 -0

未找到文件。
--- a/migration-rdma.c
+++ b/migration-rdma.c
@@ -1424,6 +1424,7 @@ static int qemu_rdma_post_send_control(RDMAContext *rdma, uint8_t *buf,
     * The copy makes the RDMAControlHeader simpler to manipulate
     * for the time being.
     */
+    assert(head->len <= RDMA_CONTROL_MAX_BUFFER - sizeof(*head));
    memcpy(wr->control, head, sizeof(RDMAControlHeader));
    control_to_network((void *) wr->control);

@@ -1504,6 +1505,10 @@ static int qemu_rdma_exchange_get_response(RDMAContext *rdma,
                control_desc[head->type], head->type, head->len);
        return -EIO;
    }
+    if (head->len > RDMA_CONTROL_MAX_BUFFER - sizeof(*head)) {
+        fprintf(stderr, "too long length: %d\n", head->len);
+        return -EINVAL;
+    }

    return 0;
 }