Otherwise, a malicious packet could cause a DoS via spurious
out-of-memory failure.
* src/uml/uml_driver.c (umlMonitorCommand): Validate that incoming
data is reliable before using it to allocate/dereference memory.
Don't report bogus errno on short read.
Reported by Jim Meyering.
---
src/uml/uml_driver.c | 8 +++++++-
1 files changed, 7 insertions(+), 1 deletions(-)
diff --git a/src/uml/uml_driver.c b/src/uml/uml_driver.c
index eec239f..130d1ae 100644
--- a/src/uml/uml_driver.c
+++ b/src/uml/uml_driver.c
@@ -746,11 +746,17 @@ static int umlMonitorCommand(virConnectPtr conn,
goto error;
}
if (nbytes < sizeof res) {
- virReportSystemError(errno,
+ virReportSystemError(0,
_("incomplete reply %s"),
cmd);
goto error;
}
+ if (sizeof res < res.length) {
+ virReportSystemError(0,
+ _("invalid length in reply %s"),
+ cmd);
+ goto error;
+ }
if (VIR_REALLOC_N(retdata, retlen + res.length) < 0) {
virReportOOMError();
--
1.6.6.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list