Coverity detected a potential dereference of uninitialized memory
if recvfrom got cut short.
* src/uml/uml_driver.c (umlMonitorCommand): Validate complete read
prior to dereferencing res.
---
The patch borrows ideas from macvtap.c, the only other file in
libvirt that currently uses recvfrom.
I did not analyze whether this is a security hole, where a
malicious UDP packet could intentionally force the dereferencing
of uninitialized memory to misbehave in a controlled manner.
src/uml/uml_driver.c | 14 ++++++++++++--
1 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/src/uml/uml_driver.c b/src/uml/uml_driver.c
index bbea429..eec239f 100644
--- a/src/uml/uml_driver.c
+++ b/src/uml/uml_driver.c
@@ -733,14 +733,24 @@ static int umlMonitorCommand(virConnectPtr conn,
}
do {
+ ssize_t nbytes;
addrlen = sizeof(addr);
- if (recvfrom(priv->monitor, &res, sizeof res, 0,
- (struct sockaddr *)&addr, &addrlen) < 0) {
+ nbytes = recvfrom(priv->monitor, &res, sizeof res, 0,
+ (struct sockaddr *)&addr, &addrlen) < 0;
+ if (nbytes < 0) {
+ if (errno == EAGAIN || errno == EINTR)
+ continue;
virReportSystemError(errno,
_("cannot read reply %s"),
cmd);
goto error;
}
+ if (nbytes < sizeof res) {
+ virReportSystemError(errno,
+ _("incomplete reply %s"),
+ cmd);
+ goto error;
+ }
if (VIR_REALLOC_N(retdata, retlen + res.length) < 0) {
virReportOOMError();
--
1.6.6.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list