Eric Blake wrote: > Otherwise, a malicious packet could cause a DoS via spurious > out-of-memory failure. > > * src/uml/uml_driver.c (umlMonitorCommand): Validate that incoming > data is reliable before using it to allocate/dereference memory. > Don't report bogus errno on short read. > Reported by Jim Meyering. > --- > src/uml/uml_driver.c | 8 +++++++- > 1 files changed, 7 insertions(+), 1 deletions(-) > > diff --git a/src/uml/uml_driver.c b/src/uml/uml_driver.c > index eec239f..130d1ae 100644 > --- a/src/uml/uml_driver.c > +++ b/src/uml/uml_driver.c > @@ -746,11 +746,17 @@ static int umlMonitorCommand(virConnectPtr conn, > goto error; > } > if (nbytes < sizeof res) { > - virReportSystemError(errno, > + virReportSystemError(0, > _("incomplete reply %s"), > cmd); > goto error; > } > + if (sizeof res < res.length) { > + virReportSystemError(0, > + _("invalid length in reply %s"), > + cmd); > + goto error; > + } Thanks. That looks perfect. ACK. Hmm... while you're there, you might want to save 4 lines by joining those unnecessarily-continued ones: virReportSystemError(0, _("invalid length in reply %s"), cmd); -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list