On Sat, Jun 01, 2019 at 02:40:12PM +0200, Ilias Stamatis wrote:
> This argument wasn't validated anywhere, neither in the generic
> implementation nor in the individual drivers. As a result a call to this
> function with a large enough codeset value prior to this change causes
> libvirtd to crash.
>
> This happens because all drivers call virKeycodeValueTranslate which
> uses codeset as an index to the virKeymapValues array, causing an
> out-of-bounds error.
>
> Signed-off-by: Ilias Stamatis <stamatis.iliass@xxxxxxxxx>
> ---
> src/libvirt-domain.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
> index df7e405b3e..c09448927b 100644
> --- a/src/libvirt-domain.c
> +++ b/src/libvirt-domain.c
> @@ -6837,6 +6837,13 @@ virDomainSendKey(virDomainPtr domain,
> virCheckNonNullArgGoto(keycodes, error);
> virCheckPositiveArgGoto(nkeycodes, error);
>
> + if (codeset >= VIR_KEYCODE_SET_LAST) {
> + virReportInvalidArg(codeset,
> + _("codeset must be less than %d"),
I think "Unsupported codeset '%d'" sounds a tiny bit better :).
Reviewed-by: Erik Skultety <eskultet@xxxxxxxxxx>
> + VIR_KEYCODE_SET_LAST);
> + goto error;
> + }
> +
> if (nkeycodes > VIR_DOMAIN_SEND_KEY_MAX_KEYS) {
> virReportInvalidArg(nkeycodes,
> _("nkeycodes must be <= %d"),
> --
> 2.21.0
>
> --
> libvir-list mailing list
> libvir-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/libvir-list
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
