From: Ross Lagerwall Date: Mon, 16 Mar 2015 13:29:51 +0000 (+0000) Subject: tools/libxl: Avoid overrunning static buffer with prefixdata X-Git-Tag: 4.6.0-rc1~968 X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=8aaeef92c98e8c131b76e996dda7a456402c8a5a;p=xen.git tools/libxl: Avoid overrunning static buffer with prefixdata An individual datacopier_buf contains a static buffer of 1000 bytes. Attempting to add prefixdata of more than 1000 bytes would overrun the buffer and cause heap corruption. Instead, split the prefixdata and chain together multiple datacopier buffers. This allows for an arbitrary quantity of prefixdata to be added to a datacopier. Signed-off-by: Ross Lagerwall Signed-off-by: Andrew Cooper Acked-by: Ian Campbell CC: Ian Campbell CC: Ian Jackson CC: Wei Liu --- diff --git a/tools/libxl/libxl_aoutils.c b/tools/libxl/libxl_aoutils.c index 3e0c0aefa7..6882ca3bb7 100644 --- a/tools/libxl/libxl_aoutils.c +++ b/tools/libxl/libxl_aoutils.c @@ -160,6 +160,8 @@ void libxl__datacopier_prefixdata(libxl__egc *egc, libxl__datacopier_state *dc, { EGC_GC; libxl__datacopier_buf *buf; + const uint8_t *ptr; + /* * It is safe for this to be called immediately after _start, as * is documented in the public comment. _start's caller must have @@ -170,12 +172,14 @@ void libxl__datacopier_prefixdata(libxl__egc *egc, libxl__datacopier_state *dc, assert(len < dc->maxsz - dc->used); - buf = libxl__zalloc(NOGC, sizeof(*buf)); - buf->used = len; - memcpy(buf->buf, data, len); + for (ptr = data; len; len -= buf->used, ptr += buf->used) { + buf = libxl__malloc(NOGC, sizeof(*buf)); + buf->used = min(len, sizeof(buf->buf)); + memcpy(buf->buf, ptr, buf->used); - dc->used += len; - LIBXL_TAILQ_INSERT_TAIL(&dc->bufs, buf, entry); + dc->used += buf->used; + LIBXL_TAILQ_INSERT_TAIL(&dc->bufs, buf, entry); + } } static int datacopier_pollhup_handled(libxl__egc *egc,