[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] slirp: check data length while emulating ident
From: |
Marc-André Lureau |
Subject: |
Re: [Qemu-devel] [PATCH] slirp: check data length while emulating ident function |
Date: |
Fri, 11 Jan 2019 15:23:06 +0400 |
Hi
On Fri, Jan 11, 2019 at 1:18 PM P J P <address@hidden> wrote:
>
> +-- On Fri, 11 Jan 2019, Marc-André Lureau wrote --+
> | > + if (m->m_len > so_rcv->sb_datalen
> | > + - (so_rcv->sb_wptr - so_rcv->sb_data)) {
> | > + m_free(m);
> | > + return 0;
> | > + }
> |
> | Check looks correct, it should probably return 1.
>
> Function comment says return 1 if 'm' is valid and should be appended via
> sbappend(). Not sure if unprocessed 'm' should go to sbappend().
If you look at the rest of the function, many similar error cases return 1.
> | Is there a reproducer?
>
> Yes, I have one.
Ok, could you add it to the commit message ? :)
>
> Thank you.
> --
> Prasad J Pandit / Red Hat Product Security Team
> 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
--
Marc-André Lureau