ia64/xen-unstable

changeset 14582:c9dc33338ccc

[ACM] Check offset to be within the buffer's size
Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
author kfraser@localhost.localdomain
date Tue Mar 27 11:50:43 2007 +0100 (2007-03-27)
parents ba9d3fd4ee4b
children ec3b843dd733
files xen/acm/acm_policy.c
line diff
     1.1 --- a/xen/acm/acm_policy.c	Tue Mar 27 11:47:20 2007 +0100
     1.2 +++ b/xen/acm/acm_policy.c	Tue Mar 27 11:50:43 2007 +0100
     1.3 @@ -62,6 +62,7 @@ int
     1.4  do_acm_set_policy(void *buf, u32 buf_size)
     1.5  {
     1.6      struct acm_policy_buffer *pol = (struct acm_policy_buffer *)buf;
     1.7 +    uint32_t offset, length;
     1.8      /* some sanity checking */
     1.9      if ((be32_to_cpu(pol->magic) != ACM_MAGIC) ||
    1.10          (buf_size != be32_to_cpu(pol->len)) ||
    1.11 @@ -92,22 +93,27 @@ do_acm_set_policy(void *buf, u32 buf_siz
    1.12      /* get bin_policy lock and rewrite policy (release old one) */
    1.13      write_lock(&acm_bin_pol_rwlock);
    1.14  
    1.15 +    offset = be32_to_cpu(pol->policy_reference_offset);
    1.16 +    length = be32_to_cpu(pol->primary_buffer_offset) - offset;
    1.17 +
    1.18      /* set label reference name */
    1.19 -    if (acm_set_policy_reference(buf + be32_to_cpu(pol->policy_reference_offset),
    1.20 -                                 be32_to_cpu(pol->primary_buffer_offset) -
    1.21 -                                 be32_to_cpu(pol->policy_reference_offset)))
    1.22 +    if ( (offset + length) > buf_size ||
    1.23 +         acm_set_policy_reference(buf + offset, length))
    1.24          goto error_lock_free;
    1.25  
    1.26      /* set primary policy data */
    1.27 -    if (acm_primary_ops->set_binary_policy(buf + be32_to_cpu(pol->primary_buffer_offset),
    1.28 -                                           be32_to_cpu(pol->secondary_buffer_offset) -
    1.29 -                                           be32_to_cpu(pol->primary_buffer_offset)))
    1.30 +    offset = be32_to_cpu(pol->primary_buffer_offset);
    1.31 +    length = be32_to_cpu(pol->secondary_buffer_offset) - offset;
    1.32 +
    1.33 +    if ( (offset + length) > buf_size ||
    1.34 +         acm_primary_ops->set_binary_policy(buf + offset, length))
    1.35          goto error_lock_free;
    1.36  
    1.37      /* set secondary policy data */
    1.38 -    if (acm_secondary_ops->set_binary_policy(buf + be32_to_cpu(pol->secondary_buffer_offset),
    1.39 -                                             be32_to_cpu(pol->len) - 
    1.40 -                                             be32_to_cpu(pol->secondary_buffer_offset)))
    1.41 +    offset = be32_to_cpu(pol->secondary_buffer_offset);
    1.42 +    length = be32_to_cpu(pol->len) - offset;
    1.43 +    if ( (offset + length) > buf_size ||
    1.44 +         acm_secondary_ops->set_binary_policy(buf + offset, length))
    1.45          goto error_lock_free;
    1.46  
    1.47      write_unlock(&acm_bin_pol_rwlock);