[Qemu-devel] [PATCH 2/3] rdma: validate RDMAControlHeader::len

Isaku Yamahata Tue, 06 Aug 2013 19:28:43 -0700

RMDAControlHeader::len is provided from remote, so validate it.

Cc: Michael R. Hines <mrhi...@us.ibm.com>
Signed-off-by: Isaku Yamahata <yamah...@private.email.ne.jp>
---
 migration-rdma.c |    5 +++++
 1 file changed, 5 insertions(+)


diff --git a/migration-rdma.c b/migration-rdma.c
index 6721266..ebe1f55 100644
--- a/migration-rdma.c
+++ b/migration-rdma.c
@@ -1424,6 +1424,7 @@ static int qemu_rdma_post_send_control(RDMAContext *rdma, 
uint8_t *buf,
      * The copy makes the RDMAControlHeader simpler to manipulate
      * for the time being.
      */
+    assert(head->len <= RDMA_CONTROL_MAX_BUFFER - sizeof(*head));
     memcpy(wr->control, head, sizeof(RDMAControlHeader));
     control_to_network((void *) wr->control);
 
@@ -1504,6 +1505,10 @@ static int qemu_rdma_exchange_get_response(RDMAContext 
*rdma,
                 control_desc[head->type], head->type, head->len);
         return -EIO;
     }
+    if (head->len > RDMA_CONTROL_MAX_BUFFER - sizeof(*head)) {
+        fprintf(stderr, "too long length: %d\n", head->len);
+        return -EINVAL;
+    }
 
     return 0;
 }
-- 
1.7.10.4

[Qemu-devel] [PATCH 2/3] rdma: validate RDMAControlHeader::len

Reply via email to