|
From: | Vladimir Sementsov-Ogievskiy |
Subject: | Re: [PATCH 12/12] io/channel-socket: qio_channel_socket_flush(): improve msg validation |
Date: | Tue, 26 Sep 2023 13:19:14 +0300 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 |
On 26.09.23 12:04, Maksim Davydov wrote:
Could you add a comment into the commit message why ee_data must be bigger than ee_info?
As I understand, in this case ee_data is lower bound and ee_info is upper bound of notification: https://docs.kernel.org/networking/msg_zerocopy.html#notification-parsing and the next line "sioc->zero_copy_sent += serr->ee_data - serr->ee_info + 1;" actually depends on it. So, I'll add: For SO_EE_ORIGIN_ZEROCOPY the 32-bit notification range is encoded as [ee_info, ee_data] inclusively, so ee_info should be less or equal to ee_data.
On 9/25/23 22:40, Vladimir Sementsov-Ogievskiy wrote:Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru> --- io/channel-socket.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/io/channel-socket.c b/io/channel-socket.c index 02ffb51e99..3a899b0608 100644 --- a/io/channel-socket.c +++ b/io/channel-socket.c @@ -782,6 +782,11 @@ static int qio_channel_socket_flush(QIOChannel *ioc, "Error not from zero copy"); return -1; } + if (serr->ee_data < serr->ee_info) { + error_setg_errno(errp, serr->ee_origin, + "Wrong notification bounds"); + return -1; + } /* No errors, count successfully finished sendmsg()*/ sioc->zero_copy_sent += serr->ee_data - serr->ee_info + 1;
-- Best regards, Vladimir
[Prev in Thread] | Current Thread | [Next in Thread] |