"Rasputin" <rasputin@xxxxxxxx> wrote: > On short read, members of packet header are checked before actually read. > If uninitialized values can pass the test, they can be set to arbitrary > values while reading remaining portion of a packet. > > Buffer overflow is possible. libvirt_proxy is suid-root. > > diff -urp libvirt-0.5.1/proxy/libvirt_proxy.c libvirt-dev/proxy/libvirt_proxy.c > --- libvirt-0.5.1/proxy/libvirt_proxy.c 2008-11-20 08:58:43.000000000 +0100 > +++ libvirt-dev/proxy/libvirt_proxy.c 2009-01-25 12:51:33.000000000 +0100 > @@ -385,7 +385,8 @@ retry: > fprintf(stderr, "read %d bytes from client %d on socket %d\n", > ret, nr, pollInfos[nr].fd); > > - if ((req->version != PROXY_PROTO_VERSION) || > + if ((ret != sizeof(virProxyPacket)) || > + (req->version != PROXY_PROTO_VERSION) || > (req->len < sizeof(virProxyPacket)) || > (req->len > sizeof(virProxyFullPacket))) > goto comm_error; This looks like a good patch. Thanks! -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list