From: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Date: Mon, 6 Nov 2023 15:00:28 +0000 (+0000)
Subject: io/channel-socket: qio_channel_socket_flush(): improve msg validation
X-Git-Tag: v8.2.0-rc0~28^2~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=35bafa95da671f5a902e87fcc301f76f82cd0831;p=thirdparty%2Fqemu.git

io/channel-socket: qio_channel_socket_flush(): improve msg validation

For SO_EE_ORIGIN_ZEROCOPY the 32-bit notification range is encoded
as [ee_info, ee_data] inclusively, so ee_info should be less or
equal to ee_data.

Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Reviewed-by: Maksim Davydov <davydov-max@yandex-team.ru>
Message-id: 20231017125941.810461-7-vsementsov@yandex-team.ru
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---

diff --git a/io/channel-socket.c b/io/channel-socket.c
index 02ffb51e995..3a899b06085 100644
--- a/io/channel-socket.c
+++ b/io/channel-socket.c
@@ -782,6 +782,11 @@ static int qio_channel_socket_flush(QIOChannel *ioc,
                              "Error not from zero copy");
             return -1;
         }
+        if (serr->ee_data < serr->ee_info) {
+            error_setg_errno(errp, serr->ee_origin,
+                             "Wrong notification bounds");
+            return -1;
+        }
 
         /* No errors, count successfully finished sendmsg()*/
         sioc->zero_copy_sent += serr->ee_data - serr->ee_info + 1;