From 6f1484edadba57f2800dc04ae3527ee4b6dac7ef Mon Sep 17 00:00:00 2001 From: Isaku Yamahata Date: Fri, 9 Aug 2013 16:05:41 -0400 Subject: [PATCH] rdma: validate RDMAControlHeader::len RMDAControlHeader::len is provided from remote, so validate it. Reviewed-by: Orit Wasserman Reviewed-by: Michael R. Hines Signed-off-by: Isaku Yamahata Signed-off-by: Michael R. Hines Message-id: 1376078746-24948-3-git-send-email-mrhines@linux.vnet.ibm.com Signed-off-by: Anthony Liguori --- migration-rdma.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/migration-rdma.c b/migration-rdma.c index 672126676c..ebe1f55263 100644 --- a/migration-rdma.c +++ b/migration-rdma.c @@ -1424,6 +1424,7 @@ static int qemu_rdma_post_send_control(RDMAContext *rdma, uint8_t *buf, * The copy makes the RDMAControlHeader simpler to manipulate * for the time being. */ + assert(head->len <= RDMA_CONTROL_MAX_BUFFER - sizeof(*head)); memcpy(wr->control, head, sizeof(RDMAControlHeader)); control_to_network((void *) wr->control); @@ -1504,6 +1505,10 @@ static int qemu_rdma_exchange_get_response(RDMAContext *rdma, control_desc[head->type], head->type, head->len); return -EIO; } + if (head->len > RDMA_CONTROL_MAX_BUFFER - sizeof(*head)) { + fprintf(stderr, "too long length: %d\n", head->len); + return -EINVAL; + } return 0; }