Commit b24fe6b6 authored by Frediano Ziglio's avatar Frediano Ziglio

quic: Avoid possible buffer overflow in find_bucket

Proved by fuzzing the code.
Signed-off-by: Frediano Ziglio's avatarFrediano Ziglio <freddy77@gmail.com>
Acked-by: Uri Lublin's avatarUri Lublin <uril@redhat.com>
parent ef1b6ff7
......@@ -103,7 +103,12 @@ static s_bucket *FNAME(find_bucket)(Channel *channel, const unsigned int val)
{
spice_extra_assert(val < (0x1U << BPC));
return channel->_buckets_ptrs[val];
/* The and (&) here is to avoid buffer overflows in case of garbage or malicious
* attempts. Is much faster then using comparisons and save us from such situations.
* Note that on normal build the check above won't be compiled as this code path
* is pretty hot and would cause speed regressions.
*/
return channel->_buckets_ptrs[val & ((1U << BPC) - 1)];
}
#undef FNAME
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment