From: Peter Maydell <peter.maydell@linaro.org>
Date: Thu, 24 Aug 2023 15:32:23 +0000 (+0100)
Subject: net/dump: Avoid variable length array
X-Git-Tag: v8.2.0-rc0~123^2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c4cf68198ea6081de64265a1e1c2620576a209a0;p=thirdparty%2Fqemu.git

net/dump: Avoid variable length array

Use a g_autofree heap allocation instead of a variable length
array in dump_receive_iov().

The codebase has very few VLAs, and if we can get rid of them all we
can make the compiler error on new additions.  This is a defensive
measure against security bugs where an on-stack dynamic allocation
isn't correctly size-checked (e.g.  CVE-2021-3527).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---

diff --git a/net/dump.c b/net/dump.c
index 7d05f16ca7a..16073f24582 100644
--- a/net/dump.c
+++ b/net/dump.c
@@ -68,7 +68,7 @@ static ssize_t dump_receive_iov(DumpState *s, const struct iovec *iov, int cnt,
     int64_t ts;
     int caplen;
     size_t size = iov_size(iov, cnt) - offset;
-    struct iovec dumpiov[cnt + 1];
+    g_autofree struct iovec *dumpiov = g_new(struct iovec, cnt + 1);
 
     /* Early return in case of previous error. */
     if (s->fd < 0) {