Previously, there was no check for the size of the message received from
the client, and all messages were read into a buffer of size 1024.
However, migration data can be bigger than 1024. In such cases, memory
corruption occurred.
---
server/red_worker.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/server/red_worker.c b/server/red_worker.c
index d27aa7e..54cad53 100644
--- a/server/red_worker.c
+++ b/server/red_worker.c
@@ -1597,12 +1597,24 @@ static uint8_t *common_alloc_recv_buf(RedChannelClient *rcc, uint16_t type, uint
{
CommonChannel *common = SPICE_CONTAINEROF(rcc->channel, CommonChannel, base);
+ /* SPICE_MSGC_MIGRATE_DATA is the only client message whose size is dynamic */
+ if (type == SPICE_MSGC_MIGRATE_DATA) {
+ return spice_malloc(size);
+ }
+
+ if (size > RECIVE_BUF_SIZE) {
+ spice_critical("unexpected message size %u (max is %d)", size, RECIVE_BUF_SIZE);
+ return NULL;
+ }
return common->recv_buf;
}
static void common_release_recv_buf(RedChannelClient *rcc, uint16_t type, uint32_t size,
uint8_t* msg)
{
+ if (type == SPICE_MSGC_MIGRATE_DATA) {
+ free(msg);
+ }
}
#define CLIENT_PIXMAPS_CACHE
--
1.7.11.7
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/spice-devel