qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] Fix for a malloc heap corruption problem in the

From: Fabrice Bellard
Subject: Re: [Qemu-devel] [PATCH] Fix for a malloc heap corruption problem in the slirp network code
Date: Sun, 05 Jun 2005 19:23:33 +0200
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20040913 
Juergen Keil wrote:

Compiling inside a NetBSD 1.5 qemu guest OS (source files are located
on an NFS filesystem mounted from the Solaris host OS) crashes qemu
with a malloc heap corruption error, when the slirp user mode
networking code is in use.
[...]



Using the "electric fence" memory allocator, the location of the data
corruption can be narrowed down to the destination address in the memcpy
call in slirp/mbuf.c, function m_cat():

    void
    m_cat(m, n)
        register struct mbuf *m, *n;
    {
        /*
         * If there's no room, realloc
         */
        if (M_FREEROOM(m) < n->m_len)
                m_inc(m,m->m_size+MINCSIZE);
First this code is incorrect : it increases the size by MINCSIZE which can be smaller than the required size.
memcpy(m->m_data+m->m_len, n->m_data, n->m_len); <<<< this memcpy corrupts the malloc 
                                                          heap
        ....
    }


The problem is apparently in m_inc(), when an mbuf with an external
data buffer is resized.  After resizing the mbuf, the m_data member
still points into the old buffer, before is was reallocated.  For some
reason, the code to re-adjust the m_data pointer is present in the M_EXT
case in m_inc(), but is commented out. (With a bit of luck, realloc
might be able to adjust the size of the memory block in place; but
slirp shouldn't rely on this)

Fix: Adjust mbuf->m_data after a realloc of the external data buffer


OK. Does someone knows why this code was suppressed ?

Fabrice.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]