Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 30 Jan 2024 14:19:19 GMT
From:      Mark Johnston <markj@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 91ebe67e90d5 - stable/14 - bhyve: Avoid underflows when handling remote commands
Message-ID:  <202401301419.40UEJJN4096471@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch stable/14 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=91ebe67e90d5859df282aac9c978e54789217b12

commit 91ebe67e90d5859df282aac9c978e54789217b12
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2024-01-23 16:40:40 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2024-01-30 14:18:53 +0000

    bhyve: Avoid underflows when handling remote commands
    
    Reviewed by:    corvink, jhb
    MFC after:      1 week
    Sponsored by:   Innovate UK
    Differential Revision:  https://reviews.freebsd.org/D43480
    
    (cherry picked from commit cfa2c78aee859bfc6549951bb6a36085fdd374e8)
---
 usr.sbin/bhyve/gdb.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/usr.sbin/bhyve/gdb.c b/usr.sbin/bhyve/gdb.c
index 9748f7d82b44..cc05a32a5c56 100644
--- a/usr.sbin/bhyve/gdb.c
+++ b/usr.sbin/bhyve/gdb.c
@@ -1053,6 +1053,8 @@ gdb_read_mem(const uint8_t *data, size_t len)
 	bool started;
 	int error;
 
+	assert(len >= 1);
+
 	/* Skip 'm' */
 	data += 1;
 	len -= 1;
@@ -1164,6 +1166,8 @@ gdb_write_mem(const uint8_t *data, size_t len)
 	size_t resid, todo, bytes;
 	int error;
 
+	assert(len >= 1);
+
 	/* Skip 'M' */
 	data += 1;
 	len -= 1;
@@ -1558,7 +1562,7 @@ gdb_query(const uint8_t *data, size_t len)
 
 		data += strlen("qThreadExtraInfo");
 		len -= strlen("qThreadExtraInfo");
-		if (*data != ',') {
+		if (len == 0 || *data != ',') {
 			send_error(EINVAL);
 			return;
 		}
@@ -1609,7 +1613,7 @@ handle_command(const uint8_t *data, size_t len)
 	case 'H': {
 		int tid;
 
-		if (data[1] != 'g' && data[1] != 'c') {
+		if (len < 2 || (data[1] != 'g' && data[1] != 'c')) {
 			send_error(EINVAL);
 			break;
 		}

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202401301419.40UEJJN4096471>