2010/6/10 Eric Blake <eblake@xxxxxxxxxx>: > Otherwise, a malicious packet could cause a DoS via spurious > out-of-memory failure. > > * src/uml/uml_driver.c (umlMonitorCommand): Validate that incoming > data is reliable before using it to allocate/dereference memory. > Don't report bogus errno on short read. > Reported by Jim Meyering. > --- > > While trying to flush some of my pending patches, I noticed that > this one had never been given an ack. Originally at: > https://www.redhat.com/archives/libvir-list/2010-March/msg00195.html > > > src/uml/uml_driver.c | 12 ++++++------ > 1 files changed, 6 insertions(+), 6 deletions(-) > > diff --git a/src/uml/uml_driver.c b/src/uml/uml_driver.c > index 3111211..1cbd0bd 100644 > --- a/src/uml/uml_driver.c > +++ b/src/uml/uml_driver.c > @@ -734,15 +734,15 @@ static int umlMonitorCommand(const struct uml_driver *driver, > if (nbytes < 0) { > if (errno == EAGAIN || errno == EINTR) > continue; > - virReportSystemError(errno, > - _("cannot read reply %s"), > - cmd); > + virReportSystemError(errno, _("cannot read reply %s"), cmd); > goto error; > } > if (nbytes < sizeof res) { > - virReportSystemError(errno, > - _("incomplete reply %s"), > - cmd); > + virReportSystemError(0, _("incomplete reply %s"), cmd); > + goto error; > + } > + if (sizeof res.data < res.length) { > + virReportSystemError(0, _("invalid length in reply %s"), cmd); > goto error; > } > > -- > 1.7.0.1 > ACK. Matthias -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list