From: Frediano Ziglio <freddy77@xxxxxxxxx>
Proved by fuzzing the code.
Signed-off-by: Frediano Ziglio <freddy77@xxxxxxxxx>
Acked-by: Uri Lublin <uril@xxxxxxxxxx>
---
common/quic_family_tmpl.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/common/quic_family_tmpl.c b/common/quic_family_tmpl.c
index 8a5f7d2..6cc051b 100644
--- a/common/quic_family_tmpl.c
+++ b/common/quic_family_tmpl.c
@@ -103,7 +103,12 @@ static s_bucket *FNAME(find_bucket)(Channel *channel, const unsigned int val)
{
spice_extra_assert(val < (0x1U << BPC));
- return channel->_buckets_ptrs[val];
+ /* The and (&) here is to avoid buffer overflows in case of garbage or malicious
+ * attempts. Is much faster then using comparisons and save us from such situations.
+ * Note that on normal build the check above won't be compiled as this code path
+ * is pretty hot and would cause speed regressions.
+ */
+ return channel->_buckets_ptrs[val & ((1U << BPC) - 1)];
}
#undef FNAME
--
2.26.2
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel