代码拉取完成,页面将自动刷新
同步操作将从 src-openEuler/qemu 强制同步,此操作会覆盖自 Fork 仓库以来所做的任何修改,且无法恢复!!!
确定后同步将在后台操作,完成时将刷新页面,请耐心等待。
From 220a52fda279038d46c25d39a372154ff9b024d2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureauls?= <[email protected]>
Date: Tue, 14 Apr 2020 19:06:35 +0800
Subject: [PATCH] tcp_emu: fix unsafe snprintf() usages
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Various calls to snprintf() assume that snprintf() returns "only" the
number of bytes written (excluding terminating NUL).
https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04
"Upon successful completion, the snprintf() function shall return the
number of bytes that would be written to s had n been sufficiently
large excluding the terminating null byte."
Before patch ce131029, if there isn't enough room in "m_data" for the
"DCC ..." message, we overflow "m_data".
After the patch, if there isn't enough room for the same, we don't
overflow "m_data", but we set "m_len" out-of-bounds. The next time an
access is bounded by "m_len", we'll have a buffer overflow then.
Use slirp_fmt*() to fix potential OOB memory access.
Reported-by: default avatarLaszlo Ersek <[email protected]>
Signed-off-by: default avatarMarc-André Lureau <[email protected]>
Reviewed-by: Samuel Thibault's avatarSamuel Thibault <[email protected]>
Message-Id: <[email protected]>
---
slirp/src/tcp_subr.c | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
index 019b637a..6c1b17bd 100644
--- a/slirp/src/tcp_subr.c
+++ b/slirp/src/tcp_subr.c
@@ -655,8 +655,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
NTOHS(n1);
NTOHS(n2);
m_inc(m, snprintf(NULL, 0, "%d,%d\r\n", n1, n2) + 1);
- m->m_len = snprintf(m->m_data, M_ROOM(m), "%d,%d\r\n", n1, n2);
- assert(m->m_len < M_ROOM(m));
+ m->m_len = slirp_fmt(m->m_data, M_ROOM(m), "%d,%d\r\n", n1, n2);
} else {
*eol = '\r';
}
@@ -696,7 +695,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
n4 = (laddr & 0xff);
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += snprintf(bptr, M_FREEROOM(m),
+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
"ORT %d,%d,%d,%d,%d,%d\r\n%s", n1, n2, n3, n4,
n5, n6, x == 7 ? buff : "");
return 1;
@@ -732,7 +731,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
m->m_len = bptr - m->m_data; /* Adjust length */
m->m_len +=
- snprintf(bptr, M_FREEROOM(m),
+ slirp_fmt(bptr, M_FREEROOM(m),
"27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
n1, n2, n3, n4, n5, n6, x == 7 ? buff : "");
@@ -759,7 +758,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
(so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr,
htons(lport), SS_FACCEPTONCE)) != NULL)
m->m_len =
- snprintf(m->m_data, M_ROOM(m),
+ slirp_fmt0(m->m_data, M_ROOM(m),
"%d", ntohs(so->so_fport)) + 1;
return 1;
@@ -779,7 +778,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
return 1;
}
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += snprintf(bptr, M_FREEROOM(m),
+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
"DCC CHAT chat %lu %u%c\n",
(unsigned long)ntohl(so->so_faddr.s_addr),
ntohs(so->so_fport), 1);
@@ -791,7 +790,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
}
m->m_len = bptr - m->m_data; /* Adjust length */
m->m_len +=
- snprintf(bptr, M_FREEROOM(m),
+ slirp_fmt(bptr, M_FREEROOM(m),
"DCC SEND %s %lu %u %u%c\n", buff,
(unsigned long)ntohl(so->so_faddr.s_addr),
ntohs(so->so_fport), n1, 1);
@@ -803,7 +802,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
}
m->m_len = bptr - m->m_data; /* Adjust length */
m->m_len +=
- snprintf(bptr, M_FREEROOM(m),
+ slirp_fmt(bptr, M_FREEROOM(m),
"DCC MOVE %s %lu %u %u%c\n", buff,
(unsigned long)ntohl(so->so_faddr.s_addr),
ntohs(so->so_fport), n1, 1);
--
2.23.0
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手