PATCH] slirp: fix buffer overrun

Since the addition of the slirp member to struct mbuf, the value of
SLIRP_MSIZE and the initialization of m_size have not been correct,
resulting in overrunning the end of the malloc'd buffer in some cases.

Signed-off-by: Bruce Rogers <brogers@novell.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

diff --git a/slirp/mbuf.c b/slirp/mbuf.c
index 87508ba013189e4af90b10bc0188f433111af447..eadc8022415432331b5cac906f0494f1c2e7afcf 100644 (file)
--- a/slirp/mbuf.c
+++ b/slirp/mbuf.c
@@ -23,7 +23,7 @@
  * Find a nice value for msize
  * XXX if_maxlinkhdr already in mtu
  */
-#define SLIRP_MSIZE (IF_MTU + IF_MAXLINKHDR + sizeof(struct m_hdr ) + 6)
+#define SLIRP_MSIZE (IF_MTU + IF_MAXLINKHDR + offsetof(struct mbuf, m_dat) + 6)
 
 void
 m_init(Slirp *slirp)
@@ -65,7 +65,7 @@ m_get(Slirp *slirp)
        m->m_flags = (flags | M_USEDLIST);
 
        /* Initialise it */
-       m->m_size = SLIRP_MSIZE - sizeof(struct m_hdr);
+       m->m_size = SLIRP_MSIZE - offsetof(struct m_hdr, m_dat);
        m->m_data = m->m_dat;
        m->m_len = 0;
         m->m_nextpkt = NULL;