From: Frediano Ziglio <freddy77@gmail.com>
Date: Thu, 30 Apr 2020 09:19:09 +0000 (+0100)
Subject: [PATCH] quic: Avoid possible buffer overflow in find_bucket
X-Git-Tag: archive/raspbian/0.33-3.3+deb9u2+rpi1^2~1
X-Git-Url: https://dgit.raspbian.org/%22http://www.example.com/cgi/%22/%22http:/www.example.com/cgi/%22?a=commitdiff_plain;h=de3ccc251ea0430ae470784748d0b94db81965f4;p=spice-gtk.git

[PATCH] quic: Avoid possible buffer overflow in find_bucket

Proved by fuzzing the code.

Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
Acked-by: Uri Lublin <uril@redhat.com>

Gbp-Pq: Name CVE-2020-14355_part4.patch
---

diff --git a/spice-common/common/quic_family_tmpl.c b/spice-common/common/quic_family_tmpl.c
index 9a434e0..4038dba 100644
--- a/spice-common/common/quic_family_tmpl.c
+++ b/spice-common/common/quic_family_tmpl.c
@@ -107,7 +107,12 @@ static s_bucket *FNAME(find_bucket)(Channel *channel, const unsigned int val)
 {
     spice_assert(val < (0x1U << BPC));
 
-    return channel->_buckets_ptrs[val];
+    /* The and (&) here is to avoid buffer overflows in case of garbage or malicious
+     * attempts. Is much faster then using comparisons and save us from such situations.
+     * Note that on normal build the check above won't be compiled as this code path
+     * is pretty hot and would cause speed regressions.
+     */
+    return channel->_buckets_ptrs[val & ((1U << BPC) - 1)];
 }
 
 #undef FNAME