Re: [Qemu-devel] [PATCH] slirp: tftp, copy sockaddr

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] slirp: tftp, copy sockaddr_size

From:	Samuel Thibault
Subject:	Re: [Qemu-devel] [PATCH] slirp: tftp, copy sockaddr_size
Date:	Thu, 23 Mar 2017 14:21:08 +0100
User-agent:	NeoMutt/20170113 (1.7.2)

Marc-André Lureau, on jeu. 23 mars 2017 15:31:56 +0400, wrote:
> ASAN detects an "unknown-crash" when running pxe-test:
> 
> /ppc64/pxe/spapr-vlan: 
> =================================================================
> ==7143==ERROR: AddressSanitizer: unknown-crash on address 0x7f6dcd298d30 at 
> pc 0x55e22218830d bp 0x7f6dcd2989e0 sp 0x7f6dcd2989d0
> READ of size 128 at 0x7f6dcd298d30 thread T2
>     #0 0x55e22218830c in tftp_session_allocate 
> /home/elmarco/src/qq/slirp/tftp.c:73
>     #1 0x55e22218a1f8 in tftp_handle_rrq /home/elmarco/src/qq/slirp/tftp.c:289
>     #2 0x55e22218b54c in tftp_input /home/elmarco/src/qq/slirp/tftp.c:446
>     #3 0x55e2221833fe in udp6_input /home/elmarco/src/qq/slirp/udp6.c:82
>     #4 0x55e222137b17 in ip6_input /home/elmarco/src/qq/slirp/ip6_input.c:67
> 
> Address 0x7f6dcd298d30 is located in stack of thread T2 at offset 96 in frame
>     #0 0x55e222182420 in udp6_input /home/elmarco/src/qq/slirp/udp6.c:13
> 
>   This frame has 3 object(s):
>     [32, 48) '<unknown>'
>     [96, 124) 'lhost' <== Memory access at offset 96 partially overflows this 
> variable
>     [160, 200) 'save_ip' <== Memory access at offset 96 partially underflows 
> this variable
> 
> The sockaddr_storage pointer is the sockaddr_in6 lhost on the
> stack. Copy only the source addr size.
> 
> Signed-off-by: Marc-André Lureau <address@hidden>

Reviewed-by: Samuel Thibault <address@hidden>

> ---
>  slirp/tftp.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/slirp/tftp.c b/slirp/tftp.c
> index 50e714807d..a9bc4bb1b6 100644
> --- a/slirp/tftp.c
> +++ b/slirp/tftp.c
> @@ -70,7 +70,7 @@ static int tftp_session_allocate(Slirp *slirp, struct 
> sockaddr_storage *srcsas,
>  
>   found:
>    memset(spt, 0, sizeof(*spt));
> -  spt->client_addr = *srcsas;
> +  memcpy(&spt->client_addr, srcsas, sockaddr_size(srcsas));
>    spt->fd = -1;
>    spt->block_size = 512;
>    spt->client_port = tp->udp.uh_sport;
> -- 
> 2.12.0.191.gc5d8de91d
> 

-- 
Samuel
gawk; talk; nice; date; wine; grep; touch; unzip; strip;  \
touch; gasp; finger; gasp; lyx; gasp; latex; mount; fsck; \
more; yes; gasp; umount; make clean; make mrproper; sleep

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH] slirp: tftp, copy sockaddr_size, Marc-André Lureau, 2017/03/23
- Re: [Qemu-devel] [PATCH] slirp: tftp, copy sockaddr_size, Samuel Thibault <=
- Re: [Qemu-devel] [PATCH] slirp: tftp, copy sockaddr_size, Thomas Huth, 2017/03/23

Prev by Date: Re: [Qemu-devel] [PATCH for-2.10 15/23] QMP: include CpuInstanceProperties into query_cpus output output
Next by Date: Re: [Qemu-devel] [PATCH for-2.10 22/23] numa: add '-numa cpu, ...' option for property based node mapping
Previous by thread: [Qemu-devel] [PATCH] slirp: tftp, copy sockaddr_size
Next by thread: Re: [Qemu-devel] [PATCH] slirp: tftp, copy sockaddr_size
Index(es):
- Date
- Thread