Re: [PATCH 01/10] uml: fix logic bug in checking reply length

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



2010/8/19 Eric Blake <eblake@xxxxxxxxxx>:
> * src/uml/uml_driver.c (umlMonitorCommand): Validate that enough
> bytes were read to dereference both res.length, and that many
> bytes from res.data.
> Reported by Soren Hansen.
> ---
>
> Whoops; this is a resend of an unrelated issue, but it is still
> sitting on my tree, and the original email has no review yet,
> perhaps because it was in a reply to a longish thread.
>
>  src/uml/uml_driver.c |    7 ++-----
>  1 files changed, 2 insertions(+), 5 deletions(-)
>
> diff --git a/src/uml/uml_driver.c b/src/uml/uml_driver.c
> index 04493ba..37ddc39 100644
> --- a/src/uml/uml_driver.c
> +++ b/src/uml/uml_driver.c
> @@ -737,14 +737,11 @@ static int umlMonitorCommand(const struct uml_driver *driver,
>             virReportSystemError(errno, _("cannot read reply %s"), cmd);
>             goto error;
>         }
> -        if (nbytes < sizeof res) {
> +        if (nbytes < offsetof(struct monitor_request, data) ||
> +            nbytes < res.length + offsetof(struct monitor_request, data)) {

You could reverse the order to

  nbytes < offsetof(struct monitor_request, data) + res.length

to be in line with the layout of the data, but that's just me nit-picking here.

ACK.

Matthias

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]