Files · ade0075523478fa015afd5c6f6cc70681687818d · Anton / libtcg

contrib/rdmacm-mux: Fix out-of-bounds risk

Yuval Shaia authored 6 years ago

The function get_fd extract context from the received MAD message and
uses it as a key to fetch the destination fd from the mapping table.
A context can be dgid in case of CM request message or comm_id in case
of CM SIDR response message.

When MAD message with a smaller size as expected for the message type
received we are hitting out-of-bounds where we are looking for the
context out of message boundaries.

Fix it by validating the message size.

Reported-by Sam Smith <sam.j.smith@oracle.com>
Signed-off-by: Yuval Shaia <yuval.shaia@oracle.com>
Message-Id: <20190212112347.1605-1-yuval.shaia@oracle.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>

ade00755

History

ade00755 6 years ago

History

Name	Last commit	Last update
accel
audio
authz
backends
block
bsd-user
chardev
contrib
crypto
default-configs
disas
docs
fpu
fsdev
gdb-xml
hw
include
io
libdecnumber
linux-headers
linux-user
migration
nbd
net
pc-bios
po
python/qemu
qapi
qga
qobject
qom
replay
roms
scripts
scsi
slirp
stubs
target
tcg
tests
trace
ui
util
.cirrus.yml
.dir-locals.el
.editorconfig
.exrc
.gdbinit
.gitignore
.gitlab-ci.yml
.gitmodules
.gitpublish
.mailmap
.shippable.yml
.travis.yml
CODING_STYLE
COPYING
COPYING.LIB
Changelog
HACKING
Kconfig.host
LICENSE
MAINTAINERS
Makefile
Makefile.objs
Makefile.target
README
VERSION
arch_init.c
balloon.c
block.c
blockdev-nbd.c
blockdev.c
blockjob.c
bootdevice.c
bt-host.c
bt-vhci.c
configure
cpus-common.c
cpus.c
device-hotplug.c
device_tree.c
disas.c
dma-helpers.c
dump.c
exec.c
gdbstub.c
gitdm.config
hmp-commands-info.hx
hmp-commands.hx
hmp.c
hmp.h
ioport.c
iothread.c
job-qmp.c
job.c
memory.c
memory_ldst.inc.c
memory_mapping.c
module-common.c

README