Add mtod_check()

Git-commit: 93e645e72a056ec0b2c16e0299fc5c6b94e4ca17
References: bsc#1187364, CVE-2021-3592
            bsc#1187367, CVE-2021-3594

Recent security issues demonstrate the lack of safety care when casting
a mbuf to a particular structure type. At least, it should check that
the buffer is large enough. The following patches will make use of this
function.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>

diff --git a/slirp/src/mbuf.c b/slirp/src/mbuf.c
index 54ec721eb5eb0247b19679cd82657661f5020ec3..cb2e971083a9d30e25552ee91f2943799a8ff494 100644 (file)
--- a/slirp/src/mbuf.c
+++ b/slirp/src/mbuf.c
@@ -222,3 +222,14 @@ struct mbuf *dtom(Slirp *slirp, void *dat)
 
     return (struct mbuf *)0;
 }
+
+void *mtod_check(struct mbuf *m, size_t len)
+{
+    if (m->m_len >= len) {
+        return m->m_data;
+    }
+
+    DEBUG_ERROR("mtod failed");
+
+    return NULL;
+}

diff --git a/slirp/src/mbuf.h b/slirp/src/mbuf.h
index 546e7852c54583d3e22b1a0d84cf3c9bdb6b4ae6..2015e3232f1b7840dc14d1c6bdb3ec0bd35aba34 100644 (file)
--- a/slirp/src/mbuf.h
+++ b/slirp/src/mbuf.h
@@ -118,6 +118,7 @@ void m_inc(struct mbuf *, int);
 void m_adj(struct mbuf *, int);
 int m_copy(struct mbuf *, struct mbuf *, int, int);
 struct mbuf *dtom(Slirp *, void *);
+void *mtod_check(struct mbuf *, size_t len);
 
 static inline void ifs_init(struct mbuf *ifm)
 {