qemu: fix crash in qemud message process when we don't have enough data
This commit is contained in:
Simon Fels
parent
b76d6eaefa
commit
1eeeea111e
2 changed files with 19 additions and 11 deletions
|
|
@ -23,7 +23,7 @@
|
|||
|
||||
namespace {
|
||||
static constexpr const long header_size{4};
|
||||
}
|
||||
} // namespace
|
||||
|
||||
namespace anbox {
|
||||
namespace qemu {
|
||||
|
|
@ -33,18 +33,17 @@ QemudMessageProcessor::QemudMessageProcessor(
|
|||
|
||||
QemudMessageProcessor::~QemudMessageProcessor() {}
|
||||
|
||||
bool QemudMessageProcessor::process_data(
|
||||
const std::vector<std::uint8_t> &data) {
|
||||
for (const auto &byte : data) buffer_.push_back(byte);
|
||||
bool QemudMessageProcessor::process_data(const std::vector<std::uint8_t> &data) {
|
||||
for (const auto &byte : data)
|
||||
buffer_.push_back(byte);
|
||||
|
||||
process_commands();
|
||||
|
||||
return true;
|
||||
return process_commands();
|
||||
}
|
||||
|
||||
void QemudMessageProcessor::process_commands() {
|
||||
bool QemudMessageProcessor::process_commands() {
|
||||
while (true) {
|
||||
if (buffer_.size() < header_size) break;
|
||||
if (buffer_.size() < header_size)
|
||||
break;
|
||||
|
||||
char header[header_size] = {0};
|
||||
::memcpy(header, buffer_.data(), header_size);
|
||||
|
|
@ -52,6 +51,12 @@ void QemudMessageProcessor::process_commands() {
|
|||
unsigned int body_size = 0;
|
||||
::sscanf(header, "%04x", &body_size);
|
||||
|
||||
// Double check that we have enough data to ready the whole body. If
|
||||
// not we have to wait until we have everything.
|
||||
size_t total_size = header_size + body_size;
|
||||
if (buffer_.size() < total_size)
|
||||
break;
|
||||
|
||||
std::string command;
|
||||
// Make sure we only copy as much bytes as we have to and not more
|
||||
command.insert(0,
|
||||
|
|
@ -64,8 +69,11 @@ void QemudMessageProcessor::process_commands() {
|
|||
buffer_.erase(buffer_.begin(), buffer_.begin() + consumed);
|
||||
|
||||
const auto remaining = buffer_.size() - consumed;
|
||||
if (remaining <= 0) break;
|
||||
if (remaining <= 0)
|
||||
break;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
void QemudMessageProcessor::send_header(const size_t &size) {
|
||||
|
|
|
|||
|
|
@ -40,7 +40,7 @@ class QemudMessageProcessor : public network::MessageProcessor {
|
|||
std::shared_ptr<network::SocketMessenger> messenger_;
|
||||
|
||||
private:
|
||||
void process_commands();
|
||||
bool process_commands();
|
||||
|
||||
std::vector<std::uint8_t> buffer_;
|
||||
};
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue