Re: [libvirt] [PATCH] uml: avoid crash on partial read

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Daniel Veillard wrote:
> On Tue, Mar 02, 2010 at 05:16:05PM -0700, Eric Blake wrote:
>> Coverity detected a potential dereference of uninitialized memory
>> if recvfrom got cut short.
>>
>> * src/uml/uml_driver.c (umlMonitorCommand): Validate complete read
>> prior to dereferencing res.
>> ---
>>
>> The patch borrows ideas from macvtap.c, the only other file in
>> libvirt that currently uses recvfrom.
>>
>> I did not analyze whether this is a security hole, where a
>> malicious UDP packet could intentionally force the dereferencing
>> of uninitialized memory to misbehave in a controlled manner.
>>
>>  src/uml/uml_driver.c |   14 ++++++++++++--
>>  1 files changed, 12 insertions(+), 2 deletions(-)
>>
>> diff --git a/src/uml/uml_driver.c b/src/uml/uml_driver.c
>> index bbea429..eec239f 100644
>> --- a/src/uml/uml_driver.c
>> +++ b/src/uml/uml_driver.c
>> @@ -733,14 +733,24 @@ static int umlMonitorCommand(virConnectPtr conn,
>>      }
>>
>>      do {
>> +        ssize_t nbytes;
>>          addrlen = sizeof(addr);
>> -        if (recvfrom(priv->monitor, &res, sizeof res, 0,
>> -                     (struct sockaddr *)&addr, &addrlen) < 0) {
>> +        nbytes = recvfrom(priv->monitor, &res, sizeof res, 0,
>> +                          (struct sockaddr *)&addr, &addrlen) < 0;
>> +        if (nbytes < 0) {
>> +            if (errno == EAGAIN || errno == EINTR)
>> +                continue;
>>              virReportSystemError(errno,
>>                                   _("cannot read reply %s"),
>>                                   cmd);
>>              goto error;
>>          }
>> +        if (nbytes < sizeof res) {
>> +            virReportSystemError(errno,
>> +                                 _("incomplete reply %s"),
>> +                                 cmd);
>> +            goto error;
>> +        }
>>
>>          if (VIR_REALLOC_N(retdata, retlen + res.length) < 0) {
>>              virReportOOMError();
>
>   ACK, looks fine !

I pushed this, and then (sorry I missed it the first time)
noticed that we'd rather avoid that new use of errno.
errno is not defined for a shorter-than-expected read, so including
strerror(errno) in the diagnostic would be misleading.

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]