This argument wasn't validated anywhere, neither in the generic implementation nor in the individual drivers. As a result a call to this function with a large enough codeset value prior to this change causes libvirtd to crash. This happens because all drivers call virKeycodeValueTranslate which uses codeset as an index to the virKeymapValues array, causing an out-of-bounds error. Signed-off-by: Ilias Stamatis <stamatis.iliass@xxxxxxxxx> --- src/libvirt-domain.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c index df7e405b3e..c09448927b 100644 --- a/src/libvirt-domain.c +++ b/src/libvirt-domain.c @@ -6837,6 +6837,13 @@ virDomainSendKey(virDomainPtr domain, virCheckNonNullArgGoto(keycodes, error); virCheckPositiveArgGoto(nkeycodes, error); + if (codeset >= VIR_KEYCODE_SET_LAST) { + virReportInvalidArg(codeset, + _("codeset must be less than %d"), + VIR_KEYCODE_SET_LAST); + goto error; + } + if (nkeycodes > VIR_DOMAIN_SEND_KEY_MAX_KEYS) { virReportInvalidArg(nkeycodes, _("nkeycodes must be <= %d"), -- 2.21.0 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list