In packet_get_do() both offset and len are essentially untrusted. We do
some validation of len (check it's < PACKET_MAX_LEN), but that's not enough
to ensure that (len + offset) doesn't overflow. Rearrange our calculation
to make sure it's safe regardless of the given offset & len values.
Signed-off-by: David Gibson
---
packet.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/packet.c b/packet.c
index 08076d57..fdc4be76 100644
--- a/packet.c
+++ b/packet.c
@@ -144,7 +144,8 @@ void *packet_get_do(const struct pool *p, size_t idx, size_t offset,
return NULL;
}
- if (len + offset > p->pkt[idx].iov_len) {
+ if (offset > p->pkt[idx].iov_len ||
+ len > (p->pkt[idx].iov_len - offset)) {
if (func) {
trace("data length %zu, offset %zu from length %zu, "
"%s:%i", len, offset, p->pkt[idx].iov_len,
--
2.48.1