From 8aaeef92c98e8c131b76e996dda7a456402c8a5a Mon Sep 17 00:00:00 2001 From: Ross Lagerwall Date: Mon, 16 Mar 2015 13:29:51 +0000 Subject: [PATCH] tools/libxl: Avoid overrunning static buffer with prefixdata An individual datacopier_buf contains a static buffer of 1000 bytes. Attempting to add prefixdata of more than 1000 bytes would overrun the buffer and cause heap corruption. Instead, split the prefixdata and chain together multiple datacopier buffers. This allows for an arbitrary quantity of prefixdata to be added to a datacopier. Signed-off-by: Ross Lagerwall Signed-off-by: Andrew Cooper Acked-by: Ian Campbell CC: Ian Campbell CC: Ian Jackson CC: Wei Liu --- tools/libxl/libxl_aoutils.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/tools/libxl/libxl_aoutils.c b/tools/libxl/libxl_aoutils.c index 3e0c0aefa7..6882ca3bb7 100644 --- a/tools/libxl/libxl_aoutils.c +++ b/tools/libxl/libxl_aoutils.c @@ -160,6 +160,8 @@ void libxl__datacopier_prefixdata(libxl__egc *egc, libxl__datacopier_state *dc, { EGC_GC; libxl__datacopier_buf *buf; + const uint8_t *ptr; + /* * It is safe for this to be called immediately after _start, as * is documented in the public comment. _start's caller must have @@ -170,12 +172,14 @@ void libxl__datacopier_prefixdata(libxl__egc *egc, libxl__datacopier_state *dc, assert(len < dc->maxsz - dc->used); - buf = libxl__zalloc(NOGC, sizeof(*buf)); - buf->used = len; - memcpy(buf->buf, data, len); + for (ptr = data; len; len -= buf->used, ptr += buf->used) { + buf = libxl__malloc(NOGC, sizeof(*buf)); + buf->used = min(len, sizeof(buf->buf)); + memcpy(buf->buf, ptr, buf->used); - dc->used += len; - LIBXL_TAILQ_INSERT_TAIL(&dc->bufs, buf, entry); + dc->used += buf->used; + LIBXL_TAILQ_INSERT_TAIL(&dc->bufs, buf, entry); + } } static int datacopier_pollhup_handled(libxl__egc *egc, -- 2.39.5