diff options
| author | Dave Voutila <dv@cvs.openbsd.org> | 2021-08-29 12:17:39 +0000 |
|---|---|---|
| committer | Dave Voutila <dv@cvs.openbsd.org> | 2021-08-29 12:17:39 +0000 |
| commit | 1f88d4ed9f61ce05cf647d5af07a654b165e2a6d (patch) | |
| tree | 333fcf8fcf8351264a8156fc89ca9117107b3a52 /usr.sbin | |
| parent | 128c9c1575567f5f5bc628518175e313bf6c0cb5 (diff) | |
mask next descriptor value and fix chunk_size calculation
Guest can cause out of bounds read with a malformed descriptor. In same
loop, also fix a chunk size calculation.
Reported by Ilja van Sprundel.
ok mlarkin@
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/vmd/virtio.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/usr.sbin/vmd/virtio.c b/usr.sbin/vmd/virtio.c index 8150047b13f..b45f42ba19e 100644 --- a/usr.sbin/vmd/virtio.c +++ b/usr.sbin/vmd/virtio.c @@ -1,4 +1,4 @@ -/* $OpenBSD: virtio.c,v 1.95 2021/08/29 11:41:27 dv Exp $ */ +/* $OpenBSD: virtio.c,v 1.96 2021/08/29 12:17:38 dv Exp $ */ /* * Copyright (c) 2015 Mike Larkin <mlarkin@openbsd.org> @@ -1395,7 +1395,7 @@ vionet_notify_tx(struct vionet_dev *dev) dxx = hdr_desc_idx; do { pktsz += desc[dxx].len; - dxx = desc[dxx].next; + dxx = desc[dxx].next & VIONET_QUEUE_MASK; /* * Virtio 1.0, cs04, section 2.4.5: @@ -1443,7 +1443,7 @@ vionet_notify_tx(struct vionet_dev *dev) if (pkt_desc->len > pktsz - ofs) { log_warnx("%s: descriptor len past pkt len", __func__); - chunk_size = pktsz - ofs - pkt_desc->len; + chunk_size = pktsz - ofs; } else chunk_size = pkt_desc->len; |