upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-06-09 08:43:19 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

bhyve: avoid buffer overflow in pci_vtcon_control_send

Browse source 
This is a follow-up to the fix for HYP-19, addressing another condition
where an overflow might still occur. (Spotted by jhb@, thanks!)

Reported by:    Synacktiv
Reviewed by:	markj
Security:       HYP-19
Sponsored by:   Alpha-Omega Project
Sponsored by:   The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D46882
This commit is contained in:
Pierre Pronchery 2024-10-02 23:44:37 +02:00 committed by Ed Maste
parent 23cb03d145
commit b34a4edefb
1 changed files with 5 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
usr.sbin/bhyve/pci_virtio_console.c
View file

@ -572,6 +572,9 @@ pci_vtcon_control_send(struct pci_vtcon_softc *sc,
struct iovec iov;
int n;
if (len > SIZE_T_MAX - sizeof(struct pci_vtcon_control))
return;
vq = pci_vtcon_port_to_vq(&sc->vsc_control_port, true);
if (!vq_has_descs(vq))
@ -580,11 +583,11 @@ pci_vtcon_control_send(struct pci_vtcon_softc *sc,
n = vq_getchain(vq, &iov, 1, &req);
assert(n == 1);
if (iov.iov_len < sizeof(struct pci_vtcon_control))
if (iov.iov_len < sizeof(struct pci_vtcon_control) + len)
goto out;
memcpy(iov.iov_base, ctrl, sizeof(struct pci_vtcon_control));
if (payload != NULL && len > 0)
if (len > 0)
memcpy((uint8_t *)iov.iov_base +
sizeof(struct pci_vtcon_control), payload, len);