2010/8/19 Eric Blake <eblake@xxxxxxxxxx>:
> * src/uml/uml_driver.c (umlMonitorCommand): Validate that enough
> bytes were read to dereference both res.length, and that many
> bytes from res.data.
> Reported by Soren Hansen.
> ---
>
> Whoops; this is a resend of an unrelated issue, but it is still
> sitting on my tree, and the original email has no review yet,
> perhaps because it was in a reply to a longish thread.
>
> src/uml/uml_driver.c | 7 ++-----
> 1 files changed, 2 insertions(+), 5 deletions(-)
>
> diff --git a/src/uml/uml_driver.c b/src/uml/uml_driver.c
> index 04493ba..37ddc39 100644
> --- a/src/uml/uml_driver.c
> +++ b/src/uml/uml_driver.c
> @@ -737,14 +737,11 @@ static int umlMonitorCommand(const struct uml_driver *driver,
> virReportSystemError(errno, _("cannot read reply %s"), cmd);
> goto error;
> }
> - if (nbytes < sizeof res) {
> + if (nbytes < offsetof(struct monitor_request, data) ||
> + nbytes < res.length + offsetof(struct monitor_request, data)) {
You could reverse the order to
nbytes < offsetof(struct monitor_request, data) + res.length
to be in line with the layout of the data, but that's just me nit-picking here.
ACK.
Matthias
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list