On 16-08-2010 18:04, Eric Blake wrote:
So the size of the response datagram isn't sizeof(res) as the check in uml_driver.c expects, but rather sizeof(res.error) + sizeof(res.extra) + sizeof(res.length) + res.length. I agree with this analysis. In other words, the check should be more like this (two conditions - did we get enough bytes to even have a valid res.length, and did we get enough bytes to match with what res.length stated):
if (nbytes < offsetof(struct monitor_request, data) || nbytes < res.length + offsetof(struct monitor_request, data)) incomplete reply
Yup, this looks good.
But before I write such a patch, I'm going to look in more details at your other reply.
Let's just forget all about that one, shall we? Please? :) -- Soren Hansen Ubuntu Developer http://www.ubuntu.com/