Per
https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538
The old API took the size of the memory to duplicate as a guint,
whereas most memory functions take memory sizes as a gsize. This
made it easy to accidentally pass a gsize to g_memdup(). For large
values, that would lead to a silent truncation of the size from 64
to 32 bits, and result in a heap area being returned which is
significantly smaller than what the caller expects. This can likely
be exploited in various modules to cause a heap buffer overflow.
Replace g_memdup() by the safer g_memdup2() wrapper.
Signed-off-by: Philippe Mathieu-Daudé <phi...@redhat.com>
---
hw/scsi/mptsas.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
index db3219e7d20..f53ea358161 100644
--- a/hw/scsi/mptsas.c
+++ b/hw/scsi/mptsas.c
@@ -449,7 +449,8 @@ static void mptsas_process_scsi_task_mgmt(MPTSASState *s,
MPIMsgSCSITaskMgmt *re
} else {
MPTSASCancelNotifier *notifier;
- reply_async = g_memdup(&reply,
sizeof(MPIMsgSCSITaskMgmtReply));
+ reply_async = g_memdup2(&reply,
+ sizeof(MPIMsgSCSITaskMgmtReply));
reply_async->IOCLogInfo = INT_MAX;
count = 1;
@@ -476,7 +477,7 @@ static void mptsas_process_scsi_task_mgmt(MPTSASState *s,
MPIMsgSCSITaskMgmt *re
goto out;
}
- reply_async = g_memdup(&reply, sizeof(MPIMsgSCSITaskMgmtReply));
+ reply_async = g_memdup2(&reply, sizeof(MPIMsgSCSITaskMgmtReply));
reply_async->IOCLogInfo = INT_MAX;
count = 0;
--
2.31.1
