[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] Fix for a malloc heap corruption problem in the
|
From: |
Juergen Keil |
|
Subject: |
Re: [Qemu-devel] [PATCH] Fix for a malloc heap corruption problem in the slirp network code |
|
Date: |
Mon, 6 Jun 2005 11:06:26 +0200 (CEST) |
> Fabrice Bellard wrote
>
> Juergen Keil wrote:
> > Compiling inside a NetBSD 1.5 qemu guest OS (source files are located
> > on an NFS filesystem mounted from the Solaris host OS) crashes qemu
> > with a malloc heap corruption error, when the slirp user mode
> > networking code is in use.
> > [...]
>
> > Using the "electric fence" memory allocator, the location of the data
> > corruption can be narrowed down to the destination address in the memcpy
> > call in slirp/mbuf.c, function m_cat():
> >
> > void
> > m_cat(m, n)
> > register struct mbuf *m, *n;
> > {
> > /*
> > * If there's no room, realloc
> > */
> > if (M_FREEROOM(m) < n->m_len)
> > m_inc(m,m->m_size+MINCSIZE);
>
> First this code is incorrect : it increases the size by MINCSIZE which
> can be smaller than the required size.
Yep.
The m_cat() code might work in the slirp environment because its only
use is to reassemble ip fragments, which have a max size (~1500 bytes) that
is always smaller than MINCSIZE (4096).
To make the code more robust, it won't hurt to make sure the size of the
free room on the "m" mbuf is at least "n->m_len" after the call to m_inc(),
for all sizes of "n->m_len".
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: [Qemu-devel] [PATCH] Fix for a malloc heap corruption problem in the slirp network code,
Juergen Keil <=