Per
https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538
The old API took the size of the memory to duplicate as a guint,
whereas most memory functions take memory sizes as a gsize. This
made it easy to accidentally pass a gsize to g_memdup(). For large
values, that would lead to a silent truncation of the size from 64
to 32 bits, and result in a heap area being returned which is
significantly smaller than what the caller expects. This can likely
be exploited in various modules to cause a heap buffer overflow.
packet_new() is called from packet_enqueue() with size being 32-bit
(of type SocketReadState::packet_len).
Replace g_memdup() by the safer g_memdup2() wrapper.
Signed-off-by: Philippe Mathieu-Daudé <phi...@redhat.com>
---
net/colo.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/colo.c b/net/colo.c
index 3a3e6e89a0c..c04a7fe6dbb 100644
--- a/net/colo.c
+++ b/net/colo.c
@@ -159,7 +159,7 @@ Packet *packet_new(const void *data, int size, int
vnet_hdr_len)
{
Packet *pkt = g_slice_new0(Packet);
- pkt->data = g_memdup(data, size);
+ pkt->data = g_memdup2(data, size);
pkt->size = size;
pkt->creation_ms = qemu_clock_get_ms(QEMU_CLOCK_HOST);
pkt->vnet_hdr_len = vnet_hdr_len;
@@ -214,7 +214,7 @@ Connection *connection_get(GHashTable
*connection_track_table,
Connection *conn = g_hash_table_lookup(connection_track_table, key);
if (conn == NULL) {
- ConnectionKey *new_key = g_memdup(key, sizeof(*key));
+ ConnectionKey *new_key = g_memdup2(key, sizeof(*key));
conn = connection_new(key);
--
2.31.1
