Re: [libvirt] [PATCH] don't let a bogus packet trigger over-allocation and segfault

Jim Meyering <jim@xxxxxxxxxxxx> · Wed, 03 Mar 2010 17:21:56 +0100

Jim Meyering wrote:
> Another not-really-urgent fix:
...
> Subject: [PATCH] don't let a bogus packet trigger over-allocation and segfault
>
> * src/xen/proxy_internal.c (xenProxyDomainDumpXML): An invalid packet
> could include a too-large "ans.len" value, which would make us allocate
> too much memory and then copy data from beyond the end of "ans",
> possibly evoking a segfault.  Ensure that the value we use is no
> larger than the remaining portion of "ans".
> Also, change unnecessary memmove to memcpy (src and dest obviously
> do not overlap, so no need to use memmove).

Here's another.
It is nearly identical, so I'll squash it onto the above.

>From 3e89214bb9d4c42e683fb3fe2ff5a46a0988730f Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering@xxxxxxxxxx>
Date: Wed, 3 Mar 2010 17:20:33 +0100
Subject: [PATCH] xen: don't let bogus packets trigger over-allocation and segfault

* src/xen/proxy_internal.c (xenProxyDomainGetOSType): Likewise.
---
 src/xen/proxy_internal.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/xen/proxy_internal.c b/src/xen/proxy_internal.c
index bd234ec..8cb8896 100644
--- a/src/xen/proxy_internal.c
+++ b/src/xen/proxy_internal.c
@@ -1034,22 +1034,23 @@ xenProxyDomainGetOSType(virDomainPtr domain)
     }
     if ((ans.len == sizeof(virProxyPacket)) && (ans.data.arg < 0)) {
         virRaiseError (domain->conn, NULL, NULL, VIR_FROM_REMOTE,
                        VIR_ERR_OPERATION_FAILED, VIR_ERR_ERROR, NULL, NULL,
                        NULL, 0, 0, "%s", _("Cannot get domain details"));
         return(NULL);
     }

-    if (ans.len <= sizeof(virProxyPacket)) {
+    if (ans.len <= sizeof(virProxyPacket)
+        || ans.len > sizeof (ans) - sizeof(virProxyPacket)) {
         virProxyError(domain->conn, VIR_ERR_OPERATION_FAILED, __FUNCTION__);
         return (NULL);
     }
     oslen = ans.len - sizeof(virProxyPacket);
     if (VIR_ALLOC_N(ostype, oslen+1) < 0) {
         virReportOOMError();
         return NULL;
     }
-    memmove(ostype, &ans.extra.dinfo, oslen);
+    memcpy(ostype, &ans.extra.dinfo, oslen);
     ostype[oslen] = '\0';

     return(ostype);
 }
--
1.7.0.1.464.g0adc7

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




