From: "Daniel P. Berrange" <berrange@xxxxxxxxxx> Missing bounds checking on array parameters is a security issue for libvirtd, since it allows a client to make libvirtd allocate unbounded memory. Missing bounds checking on array return values is not a security issue, but it is a robustness issue. If the RPC stream somehow got corrupted, the client could end up allocating unbounded memory. The first patch in this series fixes the security flaw introduced in version 1.1.0, and indentified during discussion of this patch: https://www.redhat.com/archives/libvir-list/2013-August/msg00787.html The remaining patches address the robustness issues, and add a test suite to prevent this flaw recurring. Daniel P. Berrange (12): Add bounds checking on virDomainMigrate*Params RPC calls (CVE-2013-4292) Add bounds checking on virDomainGetJobStats RPC call Add bounds checking on virDomain{SnapshotListAllChildren,ListAllSnapshots} RPC calls Add bounds checking on virConnectListAllDomains RPC call Add bounds checking on virConnectListAllStoragePools RPC call Add bounds checking on virStoragePoolListAllVolumes RPC call Add bounds checking on virConnectListAllNetworks RPC call Add bounds checking on virConnectListAllInterfaces RPC call Add bounds checking on virConnectListAllNodeDevices RPC call Add bounds checking on virConnectListAllNWFilters RPC call Add bounds checking on virConnectListAllSecrets RPC call Prohibit unbounded arrays in XDR protocols cfg.mk | 6 ++ daemon/remote.c | 119 +++++++++++++++++++++++++++++++++++++++ src/remote/remote_driver.c | 130 +++++++++++++++++++++++++++++++++++++++++-- src/remote/remote_protocol.x | 108 ++++++++++++++++++----------------- 4 files changed, 304 insertions(+), 59 deletions(-) -- 1.8.3.1 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list