Commit 85c0a87c authored by Insu Yun's avatar Insu Yun Committed by David Vrabel

xen: fix potential integer overflow in queue_reply

When len is greater than UINT_MAX - sizeof(*rb), in next allocation,
it can overflow integer range and allocates small size of heap.
After that, memcpy will overflow the allocated heap.
Therefore, it needs to check the size of given length.
Signed-off-by: default avatarInsu Yun <wuninsu@gmail.com>
Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
parent 52ba0746
......@@ -188,6 +188,8 @@ static int queue_reply(struct list_head *queue, const void *data, size_t len)
if (len == 0)
return 0;
if (len > XENSTORE_PAYLOAD_MAX)
return -EINVAL;
rb = kmalloc(sizeof(*rb) + len, GFP_KERNEL);
if (rb == NULL)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment