[PATCH] quic: Avoid possible buffer overflow in find_bucket

author Frediano Ziglio <freddy77@gmail.com>

Thu, 30 Apr 2020 09:19:09 +0000 (10:19 +0100)

committer Utkarsh Gupta <utkarsh@debian.org>

Sun, 1 Nov 2020 16:10:46 +0000 (16:10 +0000)
author Frediano Ziglio <freddy77@gmail.com>
Thu, 30 Apr 2020 09:19:09 +0000 (10:19 +0100)
committer Utkarsh Gupta <utkarsh@debian.org>
Sun, 1 Nov 2020 16:10:46 +0000 (16:10 +0000)
diff --git a/spice-common/common/quic_family_tmpl.c b/spice-common/common/quic_family_tmpl.c

index 9a434e038b11402f833c3578dbf846aae35c265d..4038dbaacdcebd7f9ffa99f406de219c34145318 100644 (file)
--- a/spice-common/common/quic_family_tmpl.c
+++ b/spice-common/common/quic_family_tmpl.c
@@ -107,7 +107,12 @@ static s_bucket *FNAME(find_bucket)(Channel *channel, const unsigned int val)
  {
      spice_assert(val < (0x1U << BPC));
  
-    return channel->_buckets_ptrs[val];
+    /* The and (&) here is to avoid buffer overflows in case of garbage or malicious
+     * attempts. Is much faster then using comparisons and save us from such situations.
+     * Note that on normal build the check above won't be compiled as this code path
+     * is pretty hot and would cause speed regressions.
+     */
+    return channel->_buckets_ptrs[val & ((1U << BPC) - 1)];
  }
  
  #undef FNAME
author	Frediano Ziglio <freddy77@gmail.com>
	Thu, 30 Apr 2020 09:19:09 +0000 (10:19 +0100)
committer	Utkarsh Gupta <utkarsh@debian.org>
	Sun, 1 Nov 2020 16:10:46 +0000 (16:10 +0000)