From: Kruti Pendharkar Date: Fri, 17 Oct 2025 04:25:49 +0000 (-0700) Subject: Address potential guest to host escape X-Git-Tag: stable-13.1.0~48 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=cea32699cb4ceef142bb449ec5df8f909760652b;p=thirdparty%2Fopen-vm-tools.git Address potential guest to host escape The change addresses a double fetch issue that could result in stack overflow or other potential security risks. --- diff --git a/open-vm-tools/lib/hgfsServer/hgfsServerPacketUtil.c b/open-vm-tools/lib/hgfsServer/hgfsServerPacketUtil.c index 4ac8591f1..1a84e806a 100644 --- a/open-vm-tools/lib/hgfsServer/hgfsServerPacketUtil.c +++ b/open-vm-tools/lib/hgfsServer/hgfsServerPacketUtil.c @@ -1,5 +1,6 @@ /********************************************************* - * Copyright (C) 2010-2019 VMware, Inc. All rights reserved. + * Copyright (c) 2010-2025 Broadcom. All Rights Reserved. + * The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as published @@ -470,14 +471,7 @@ HSPUGetBuf(HgfsServerChannelCallbacks *chanCb, // IN: Channel callbacks goto exit; } - if (iovMapped == 1) { - /* A single page buffer is contiguous so hold on to guest mappings. */ - *buf = iov[startIndex].va; - goto exit; - } - - /* More than one page was mapped. */ - ASSERT(iov[startIndex].len < bufSize); + ASSERT(iov[startIndex].len <= bufSize); LOG(10, "%s: Hgfs Allocating buffer \n", __FUNCTION__); *buf = Util_SafeMalloc(bufSize);