From 122f9cf234bd97ea47f0b185a5e3b7acf5d33780 Mon Sep 17 00:00:00 2001 From: Lingjing You Date: Tue, 15 Aug 2023 14:46:25 +0800 Subject: [PATCH] viosock: fix sending large packet sg list If the first element in SgList is not 4KB, there will be 17 element in SgList for 64KB data, which will cause a stack buffer overrun BSOD. Signed-off-by: Lingjing You --- viosock/sys/Tx.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/viosock/sys/Tx.c b/viosock/sys/Tx.c index d1649084a..11c6c92d1 100644 --- a/viosock/sys/Tx.c +++ b/viosock/sys/Tx.c @@ -52,7 +52,7 @@ typedef struct _VIOSOCK_TX_PKT WDFDMATRANSACTION Transaction; union { - BYTE IndirectDescs[SIZE_OF_SINGLE_INDIRECT_DESC * (1 + VIOSOCK_DMA_TX_PAGES)]; //Header + sglist + BYTE IndirectDescs[SIZE_OF_SINGLE_INDIRECT_DESC * (1 + (VIOSOCK_DMA_TX_PAGES + 1))]; //Header + sglist(maybe not aligned) struct { LIST_ENTRY ListEntry; @@ -252,7 +252,7 @@ VIOSockTxPktInsert( IN PVIRTIO_DMA_TRANSACTION_PARAMS pParams OPTIONAL ) { - VIOSOCK_SG_DESC sg[VIOSOCK_DMA_TX_PAGES + 1]; + VIOSOCK_SG_DESC sg[VIOSOCK_DMA_TX_PAGES + 2]; ULONG uElements = 1, uPktLen = 0; PVOID va_indirect = NULL; ULONGLONG phys_indirect = 0; @@ -276,9 +276,14 @@ VIOSockTxPktInsert( { ULONG i; - ASSERT(SgList->NumberOfElements <= VIOSOCK_DMA_TX_PAGES); for (i = 0; i < SgList->NumberOfElements; i++) { + if (i + 1 >= VIOSOCK_DMA_TX_PAGES + 2) + { + TraceEvents(TRACE_LEVEL_ERROR, DBG_WRITE, "Error creating sg list, number of sg elements exceeds limit.\n"); + return FALSE; + } + sg[i + 1].length = SgList->Elements[i].Length; sg[i + 1].physAddr = SgList->Elements[i].Address;