Otherwise, a malicious packet could cause a DoS via spurious
out-of-memory failure.
* src/uml/uml_driver.c (umlMonitorCommand): Validate that incoming
data is reliable before using it to allocate/dereference memory.
Don't report bogus errno on short read.
Reported by Jim Meyering.
---
src/uml/uml_driver.c | 12 ++++++------
1 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/uml/uml_driver.c b/src/uml/uml_driver.c
index eec239f..4a5db9d 100644
--- a/src/uml/uml_driver.c
+++ b/src/uml/uml_driver.c
@@ -740,15 +740,15 @@ static int umlMonitorCommand(virConnectPtr conn,
if (nbytes < 0) {
if (errno == EAGAIN || errno == EINTR)
continue;
- virReportSystemError(errno,
- _("cannot read reply %s"),
- cmd);
+ virReportSystemError(errno, _("cannot read reply %s"), cmd);
goto error;
}
if (nbytes < sizeof res) {
- virReportSystemError(errno,
- _("incomplete reply %s"),
- cmd);
+ virReportSystemError(0, _("incomplete reply %s"), cmd);
+ goto error;
+ }
+ if (sizeof res.data < res.length) {
+ virReportSystemError(0, _("invalid length in reply %s"), cmd);
goto error;
}
--
1.6.6.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list