From d822c2055e411a265ceaf2d4c8061b55287f7ee4 Mon Sep 17 00:00:00 2001
From: Daniel Verkamp <daniel.verkamp@intel.com>
Date: Tue, 24 Oct 2017 12:27:03 -0700
Subject: [PATCH] rte_virtio: check payload size in vhost_user_read

Make sure the recv() can't write beyond the end of the msg buffer.

Change-Id: Ibc4bb51ac3a1c2a027a458d59356b7a5496eca7e
Signed-off-by: Daniel Verkamp <daniel.verkamp@intel.com>
Reviewed-on: https://review.gerrithub.io/383646
Tested-by: SPDK Automated Test System <sys_sgsw@intel.com>
Reviewed-by: Dariusz Stojaczyk <dariuszx.stojaczyk@intel.com>
---
 lib/bdev/virtio/rte_virtio/virtio_user/vhost_user.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/lib/bdev/virtio/rte_virtio/virtio_user/vhost_user.c b/lib/bdev/virtio/rte_virtio/virtio_user/vhost_user.c
index 0e75d7b31..4346c69ce 100644
--- a/lib/bdev/virtio/rte_virtio/virtio_user/vhost_user.c
+++ b/lib/bdev/virtio/rte_virtio/virtio_user/vhost_user.c
@@ -131,6 +131,13 @@ vhost_user_read(int fd, struct vhost_user_msg *msg)
 	}
 
 	sz_payload = msg->size;
+
+	if (sizeof(*msg) - sz_hdr < sz_payload) {
+		SPDK_WARNLOG("Received oversized msg: payload size %zu > available space %zu\n",
+			     sz_payload, sizeof(*msg) - sz_hdr);
+		goto fail;
+	}
+
 	if (sz_payload) {
 		ret = recv(fd, (void *)((char *)msg + sz_hdr), sz_payload, 0);
 		if ((size_t)ret != sz_payload) {