diff options
| author | kfraser@localhost.localdomain <kfraser@localhost.localdomain> | 2007-03-27 11:50:43 +0100 |
|---|---|---|
| committer | kfraser@localhost.localdomain <kfraser@localhost.localdomain> | 2007-03-27 11:50:43 +0100 |
| commit | 08361fe2b26f7bda1e304a31ee9dfdef804f7501 (patch) | |
| tree | 8dac11751bc2d4709ef4ee88fba2b9058004b4c0 /xen | |
| parent | 8c832af369b2203df288f3a8da047b1a663b4de1 (diff) | |
| download | xen-08361fe2b26f7bda1e304a31ee9dfdef804f7501.tar.gz xen-08361fe2b26f7bda1e304a31ee9dfdef804f7501.tar.bz2 xen-08361fe2b26f7bda1e304a31ee9dfdef804f7501.zip | |
[ACM] Check offset to be within the buffer's size
Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
Diffstat (limited to 'xen')
| -rw-r--r-- | xen/acm/acm_policy.c | 24 |
1 files changed, 15 insertions, 9 deletions
diff --git a/xen/acm/acm_policy.c b/xen/acm/acm_policy.c index 0f143303cf..5125454962 100644 --- a/xen/acm/acm_policy.c +++ b/xen/acm/acm_policy.c @@ -62,6 +62,7 @@ int do_acm_set_policy(void *buf, u32 buf_size) { struct acm_policy_buffer *pol = (struct acm_policy_buffer *)buf; + uint32_t offset, length; /* some sanity checking */ if ((be32_to_cpu(pol->magic) != ACM_MAGIC) || (buf_size != be32_to_cpu(pol->len)) || @@ -92,22 +93,27 @@ do_acm_set_policy(void *buf, u32 buf_size) /* get bin_policy lock and rewrite policy (release old one) */ write_lock(&acm_bin_pol_rwlock); + offset = be32_to_cpu(pol->policy_reference_offset); + length = be32_to_cpu(pol->primary_buffer_offset) - offset; + /* set label reference name */ - if (acm_set_policy_reference(buf + be32_to_cpu(pol->policy_reference_offset), - be32_to_cpu(pol->primary_buffer_offset) - - be32_to_cpu(pol->policy_reference_offset))) + if ( (offset + length) > buf_size || + acm_set_policy_reference(buf + offset, length)) goto error_lock_free; /* set primary policy data */ - if (acm_primary_ops->set_binary_policy(buf + be32_to_cpu(pol->primary_buffer_offset), - be32_to_cpu(pol->secondary_buffer_offset) - - be32_to_cpu(pol->primary_buffer_offset))) + offset = be32_to_cpu(pol->primary_buffer_offset); + length = be32_to_cpu(pol->secondary_buffer_offset) - offset; + + if ( (offset + length) > buf_size || + acm_primary_ops->set_binary_policy(buf + offset, length)) goto error_lock_free; /* set secondary policy data */ - if (acm_secondary_ops->set_binary_policy(buf + be32_to_cpu(pol->secondary_buffer_offset), - be32_to_cpu(pol->len) - - be32_to_cpu(pol->secondary_buffer_offset))) + offset = be32_to_cpu(pol->secondary_buffer_offset); + length = be32_to_cpu(pol->len) - offset; + if ( (offset + length) > buf_size || + acm_secondary_ops->set_binary_policy(buf + offset, length)) goto error_lock_free; write_unlock(&acm_bin_pol_rwlock); |