rdma: use resp.len after validation in qemu_rdma_registration_stop
resp.len is given from remote host. So should be validated before use. Otherwise memcpy can access beyond the buffer. Cc: Michael R. Hines <mrhines@us.ibm.com> Reviewed-by: Orit Wasserman <owasserm@redhat.com> Reviewed-by: Michael R. Hines <mrhines@us.ibm.com> Signed-off-by: Isaku Yamahata <yamahata@private.email.ne.jp> Signed-off-by: Michael R. Hines <mrhines@us.ibm.com> Message-id: 1376078746-24948-2-git-send-email-mrhines@linux.vnet.ibm.com Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
This commit is contained in:
parent
6dd2a5c98a
commit
885e8f984e
@ -3045,10 +3045,6 @@ static int qemu_rdma_registration_stop(QEMUFile *f, void *opaque,
|
||||
return ret;
|
||||
}
|
||||
|
||||
qemu_rdma_move_header(rdma, reg_result_idx, &resp);
|
||||
memcpy(rdma->block,
|
||||
rdma->wr_data[reg_result_idx].control_curr, resp.len);
|
||||
|
||||
nb_remote_blocks = resp.len / sizeof(RDMARemoteBlock);
|
||||
|
||||
/*
|
||||
@ -3070,6 +3066,9 @@ static int qemu_rdma_registration_stop(QEMUFile *f, void *opaque,
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
qemu_rdma_move_header(rdma, reg_result_idx, &resp);
|
||||
memcpy(rdma->block,
|
||||
rdma->wr_data[reg_result_idx].control_curr, resp.len);
|
||||
for (i = 0; i < nb_remote_blocks; i++) {
|
||||
network_to_remote_block(&rdma->block[i]);
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user