* src/uml/uml_driver.c (umlMonitorCommand): Validate that enough
bytes were read to dereference both res.length, and that many
bytes from res.data.
Reported by Soren Hansen.
---
> Yup, this looks good.
I'll wait for a third-party ack before pushing this.
Meanwhile, I discovered a bug in Solaris' implementation of
offsetof. POSIX requires that offsetof be an integer
constant expression, which means that:
sizeof offsetof(a,b)
should compile. But Solaris (and probably other buggy systems)
used too few parens in their macro, and you have to use:
sizeof(offsetof(a,b))
instead. Interesting trivia, but at least it doesn't affect
any of libvirt's existing uses of offsetof.
src/uml/uml_driver.c | 7 ++-----
1 files changed, 2 insertions(+), 5 deletions(-)
diff --git a/src/uml/uml_driver.c b/src/uml/uml_driver.c
index 04493ba..37ddc39 100644
--- a/src/uml/uml_driver.c
+++ b/src/uml/uml_driver.c
@@ -737,14 +737,11 @@ static int umlMonitorCommand(const struct uml_driver *driver,
virReportSystemError(errno, _("cannot read reply %s"), cmd);
goto error;
}
- if (nbytes < sizeof res) {
+ if (nbytes < offsetof(struct monitor_request, data) ||
+ nbytes < res.length + offsetof(struct monitor_request, data)) {
virReportSystemError(0, _("incomplete reply %s"), cmd);
goto error;
}
- if (sizeof res.data < res.length) {
- virReportSystemError(0, _("invalid length in reply %s"), cmd);
- goto error;
- }
if (VIR_REALLOC_N(retdata, retlen + res.length) < 0) {
virReportOOMError();
--
1.7.2.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list