linuxmsm/diag
0
0
Fork 0
mirror of https://github.com/linux-msm/diag.git synced 2026-02-25 13:11:48 -08:00
Code Issues Packages Projects Releases Wiki Activity

watch: Fix buffer overflow

Browse Source 
diag_ffs_recv copies mbuf->offset bytes into a fixed 16k buffer.
watch_handle_eventfd sets pending_aio->offset to ev->res, assuming
that ev->res represents the number of bytes read. But res can be
negative in error cases. This causes diag_ffs_recv to copy a very
large amount into a 16k buffer, smashing the stack.

Avoid populating pending_aio->offset if the result is failure.
Also, it appears that if the status code is EAGAIN, the I/O is
actually still in the system, and comes back later.

Signed-off-by: Evan Green <evangreen86@gmail.com>
This commit is contained in:
Evan Green
2019-01-22 15:49:55 -08:00
committed by Bjorn Andersson
parent 2861875311
commit bf8035f68b
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
router/watch.c
View File

@@ -337,7 +337,10 @@ static void watch_handle_eventfd(int evfd, aio_context_t ioctx)
if (iocb->aio_fildes == w->fd) {
assert(w->pending_aio);
if (!w->is_write)
if (ev[i].res == -EAGAIN)
continue;
if (!w->is_write && ev[i].res >= 0)
w->pending_aio->offset = ev[i].res;
w->aio_complete(w->pending_aio, w->data);