diff options
author | Isaku Yamahata <yamahata@private.email.ne.jp> | 2013-08-09 16:05:40 -0400 |
---|---|---|
committer | Anthony Liguori <aliguori@us.ibm.com> | 2013-08-12 09:31:15 -0500 |
commit | 885e8f984ea846e79a39ddc4f066f4dd3d04b264 (patch) | |
tree | e4779c6c19f1b1e6c4bc42e8d903b323052c05cd | |
parent | 6dd2a5c98a6b1c9189d342bcc3493c9b5dd1217e (diff) |
rdma: use resp.len after validation in qemu_rdma_registration_stop
resp.len is given from remote host. So should be validated before use.
Otherwise memcpy can access beyond the buffer.
Cc: Michael R. Hines <mrhines@us.ibm.com>
Reviewed-by: Orit Wasserman <owasserm@redhat.com>
Reviewed-by: Michael R. Hines <mrhines@us.ibm.com>
Signed-off-by: Isaku Yamahata <yamahata@private.email.ne.jp>
Signed-off-by: Michael R. Hines <mrhines@us.ibm.com>
Message-id: 1376078746-24948-2-git-send-email-mrhines@linux.vnet.ibm.com
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
-rw-r--r-- | migration-rdma.c | 7 |
1 files changed, 3 insertions, 4 deletions
diff --git a/migration-rdma.c b/migration-rdma.c index 3a380d411a..672126676c 100644 --- a/migration-rdma.c +++ b/migration-rdma.c @@ -3045,10 +3045,6 @@ static int qemu_rdma_registration_stop(QEMUFile *f, void *opaque, return ret; } - qemu_rdma_move_header(rdma, reg_result_idx, &resp); - memcpy(rdma->block, - rdma->wr_data[reg_result_idx].control_curr, resp.len); - nb_remote_blocks = resp.len / sizeof(RDMARemoteBlock); /* @@ -3070,6 +3066,9 @@ static int qemu_rdma_registration_stop(QEMUFile *f, void *opaque, return -EINVAL; } + qemu_rdma_move_header(rdma, reg_result_idx, &resp); + memcpy(rdma->block, + rdma->wr_data[reg_result_idx].control_curr, resp.len); for (i = 0; i < nb_remote_blocks; i++) { network_to_remote_block(&rdma->block[i]); |