On Tue, Mar 02, 2010 at 05:16:05PM -0700, Eric Blake wrote:
> Coverity detected a potential dereference of uninitialized memory
> if recvfrom got cut short.
>
> * src/uml/uml_driver.c (umlMonitorCommand): Validate complete read
> prior to dereferencing res.
> ---
>
> The patch borrows ideas from macvtap.c, the only other file in
> libvirt that currently uses recvfrom.
>
> I did not analyze whether this is a security hole, where a
> malicious UDP packet could intentionally force the dereferencing
> of uninitialized memory to misbehave in a controlled manner.
>
> src/uml/uml_driver.c | 14 ++++++++++++--
> 1 files changed, 12 insertions(+), 2 deletions(-)
>
> diff --git a/src/uml/uml_driver.c b/src/uml/uml_driver.c
> index bbea429..eec239f 100644
> --- a/src/uml/uml_driver.c
> +++ b/src/uml/uml_driver.c
> @@ -733,14 +733,24 @@ static int umlMonitorCommand(virConnectPtr conn,
> }
>
> do {
> + ssize_t nbytes;
> addrlen = sizeof(addr);
> - if (recvfrom(priv->monitor, &res, sizeof res, 0,
> - (struct sockaddr *)&addr, &addrlen) < 0) {
> + nbytes = recvfrom(priv->monitor, &res, sizeof res, 0,
> + (struct sockaddr *)&addr, &addrlen) < 0;
> + if (nbytes < 0) {
> + if (errno == EAGAIN || errno == EINTR)
> + continue;
> virReportSystemError(errno,
> _("cannot read reply %s"),
> cmd);
> goto error;
> }
> + if (nbytes < sizeof res) {
> + virReportSystemError(errno,
> + _("incomplete reply %s"),
> + cmd);
> + goto error;
> + }
>
> if (VIR_REALLOC_N(retdata, retlen + res.length) < 0) {
> virReportOOMError();
ACK, looks fine !
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel@xxxxxxxxxxxx | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list