Commit d822c205 authored Oct 24, 2017 by Daniel Verkamp

rte_virtio: check payload size in vhost_user_read



Make sure the recv() can't write beyond the end of the msg buffer.

Change-Id: Ibc4bb51ac3a1c2a027a458d59356b7a5496eca7e
Signed-off-by: Daniel Verkamp <daniel.verkamp@intel.com>
Reviewed-on: https://review.gerrithub.io/383646


Tested-by: SPDK Automated Test System <sys_sgsw@intel.com>
Reviewed-by: Dariusz Stojaczyk <dariuszx.stojaczyk@intel.com>

parent 22077b21

lib/bdev/virtio/rte_virtio/virtio_user/vhost_user.c

+7 −0

Original line number	Diff line number	Diff line
		@@ -131,6 +131,13 @@ vhost_user_read(int fd, struct vhost_user_msg *msg)
		}

		sz_payload = msg->size;

		if (sizeof(*msg) - sz_hdr < sz_payload) {
		SPDK_WARNLOG("Received oversized msg: payload size %zu > available space %zu\n",
		sz_payload, sizeof(*msg) - sz_hdr);
		goto fail;
		}

		if (sz_payload) {
		ret = recv(fd, (void )((char )msg + sz_hdr), sz_payload, 0);
		if ((size_t)ret != sz_payload) {