master

分支 (18)

标签 (16)

管理

管理

master

openEuler-22.03-LTS-Next

openEuler-22.03-LTS-SP1

openEuler-23.09

openEuler-23.03

openEuler-22.03-LTS

openEuler-22.03-LTS-SP2

openEuler-20.03-LTS-Next

openEuler-20.03-LTS-SP3

openEuler-20.03-LTS

openEuler-20.03-LTS-SP1

openEuler-20.03-LTS-SP2

openEuler-21.09

openEuler-22.09

openEuler-21.03

openEuler-20.09

openEuler1.0

openEuler1.0-base

openEuler-23.09-rc5

openEuler-22.03-LTS-SP1-release

openEuler-22.09-release

openEuler-22.09-rc5

openEuler-22.09-20220829

openEuler-22.03-LTS-20220331

openEuler-22.03-LTS-round5

openEuler-22.03-LTS-round3

openEuler-22.03-LTS-round2

openEuler-22.03-LTS-round1

openEuler-20.03-LTS-SP3-release

openEuler-20.03-LTS-SP2-20210624

openEuler-21.03-20210330

openEuler-20.09-20200929

openEuler-20.03-LTS-20200606

openEuler-20.03-LTS-tag

spice
/
backport-0004-CVE-2020-14355.patch

From b24fe6b66b86e601c725d30f00c37e684b6395b6 Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <freddy77@gmail.com>
Date: Thu, 30 Apr 2020 10:19:09 +0100
Subject: [PATCH] quic: Avoid possible buffer overflow in find_bucket

Proved by fuzzing the code.

Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
Acked-by: Uri Lublin <uril@redhat.com>
---
 subprojects/spice-common/common//quic_family_tmpl.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/subprojects/spice-common/common/quic_family_tmpl.c
+++ b/subprojects/spice-common/common/quic_family_tmpl.c
@@ -105,7 +105,12 @@ static s_bucket *FNAME(find_bucket)(Chan
         spice_assert(val < (0x1U << BPC));
     }

-    return channel->_buckets_ptrs[val];
+    /* The and (&) here is to avoid buffer overflows in case of garbage or malicious
+     * attempts. Is much faster then using comparisons and save us from such situations.
+     * Note that on normal build the check above won't be compiled as this code path
+     * is pretty hot and would cause speed regressions.
+     */
+    return channel->_buckets_ptrs[val & ((1U << BPC) - 1)];
 }

 #undef FNAME
--
GitLab