[libvirt] [PATCH] don't let a bogus packet trigger over-allocation and segfault

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Another not-really-urgent fix:

>From 4b56f03dee82657be3af5c79c826ae3091fbf522 Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering@xxxxxxxxxx>
Date: Wed, 3 Mar 2010 16:50:02 +0100
Subject: [PATCH] don't let a bogus packet trigger over-allocation and segfault

* src/xen/proxy_internal.c (xenProxyDomainDumpXML): An invalid packet
could include a too-large "ans.len" value, which would make us allocate
too much memory and then copy data from beyond the end of "ans",
possibly evoking a segfault.  Ensure that the value we use is no
larger than the remaining portion of "ans".
Also, change unnecessary memmove to memcpy (src and dest obviously
do not overlap, so no need to use memmove).
---
 src/xen/proxy_internal.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/xen/proxy_internal.c b/src/xen/proxy_internal.c
index 8e1c226..bd234ec 100644
--- a/src/xen/proxy_internal.c
+++ b/src/xen/proxy_internal.c
@@ -978,26 +978,27 @@ xenProxyDomainDumpXML(virDomainPtr domain, int flags ATTRIBUTE_UNUSED)
     memset(&req, 0, sizeof(req));
     req.command = VIR_PROXY_DOMAIN_XML;
     req.data.arg = domain->id;
     req.len = sizeof(req);
     ret = xenProxyCommand(domain->conn, &req, &ans, 0);
     if (ret < 0) {
         return(NULL);
     }
-    if (ans.len <= sizeof(virProxyPacket)) {
+    if (ans.len <= sizeof(virProxyPacket)
+        || ans.len > sizeof (ans) - sizeof(virProxyPacket)) {
         virProxyError(domain->conn, VIR_ERR_OPERATION_FAILED, __FUNCTION__);
         return (NULL);
     }
     xmllen = ans.len - sizeof(virProxyPacket);
     if (VIR_ALLOC_N(xml, xmllen+1) < 0) {
         virReportOOMError();
         return NULL;
     }
-    memmove(xml, &ans.extra.dinfo, xmllen);
+    memcpy(xml, &ans.extra.dinfo, xmllen);
     xml[xmllen] = '\0';

     return(xml);
 }

 /**
  * xenProxyDomainGetOSType:
  * @domain: a domain object
--
1.7.0.1.464.g0adc7

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]