On Sun, Aug 18, 2013 at 03:33:16PM +0800, Osier Yang wrote: > On 15/08/13 17:36, Daniel P. Berrange wrote: > >>diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x > >>index 7cfebdf..06929e7 100644 > >>--- a/src/remote/remote_protocol.x > >>+++ b/src/remote/remote_protocol.x > >>@@ -2837,6 +2837,27 @@ struct remote_domain_event_device_removed_msg { > >> remote_nonnull_string devAlias; > >> }; > >>+struct remote_domain_ip_addr { > >>+ int type; > >>+ remote_nonnull_string addr; > >>+ int prefix; > >>+}; > >>+ > >>+struct remote_domain_interface { > >>+ remote_nonnull_string name; > >>+ remote_string hwaddr; > >>+ remote_domain_ip_addr ip_addrs<>; > >Use of <> *NOT* allowed - this is a security flaw allowing the client > >to trigger DOS on libvirtd allocating memory. Follow the examples of > >other APis which set an explicit limit. > > In that case, we have bug on APIs like listAllDomains too, as they use > variable-length array too. Sigh. In future please don't report security problems like that on this mailing list. We have a dedicated security list for responsible disclosure of issues in libvirt released code. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list