Eric Blake wrote:
> Otherwise, a malicious packet could cause a DoS via spurious
> out-of-memory failure.
>
> * src/uml/uml_driver.c (umlMonitorCommand): Validate that incoming
> data is reliable before using it to allocate/dereference memory.
> Don't report bogus errno on short read.
> Reported by Jim Meyering.
> ---
> src/uml/uml_driver.c | 8 +++++++-
> 1 files changed, 7 insertions(+), 1 deletions(-)
>
> diff --git a/src/uml/uml_driver.c b/src/uml/uml_driver.c
> index eec239f..130d1ae 100644
> --- a/src/uml/uml_driver.c
> +++ b/src/uml/uml_driver.c
> @@ -746,11 +746,17 @@ static int umlMonitorCommand(virConnectPtr conn,
> goto error;
> }
> if (nbytes < sizeof res) {
> - virReportSystemError(errno,
> + virReportSystemError(0,
> _("incomplete reply %s"),
> cmd);
> goto error;
> }
> + if (sizeof res < res.length) {
> + virReportSystemError(0,
> + _("invalid length in reply %s"),
> + cmd);
> + goto error;
> + }
Thanks.
That looks perfect. ACK.
Hmm... while you're there, you might want to save 4 lines by joining
those unnecessarily-continued ones:
virReportSystemError(0, _("invalid length in reply %s"), cmd);
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list