[vdagent-win PATCH v2 2/9] Minor overflow checks improvements

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Although source of these data should be safe improve data checks
to avoid some overflows.

Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
---
 vdagent/vdagent.cpp | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/vdagent/vdagent.cpp b/vdagent/vdagent.cpp
index e22687c..8294ea7 100644
--- a/vdagent/vdagent.cpp
+++ b/vdagent/vdagent.cpp
@@ -1314,7 +1314,7 @@ VOID VDAgent::read_completion(DWORD err, DWORD bytes, LPOVERLAPPED overlapped)
         count = sizeof(VDIChunk) - a->_read_pos;
     } else if (a->_read_pos == sizeof(VDIChunk)) {
         count = chunk->hdr.size;
-        if (a->_read_pos + count > sizeof(a->_read_buf)) {
+        if (count > sizeof(a->_read_buf) - a->_read_pos) {
             vd_printf("chunk is too large, size %u port %u", chunk->hdr.size, chunk->hdr.port);
             a->_running = false;
             return;
@@ -1351,12 +1351,19 @@ void VDAgent::handle_chunk(VDIChunk* chunk)
         uint32_t msg_size = sizeof(VDAgentMessage) + msg->size;
         if (chunk->hdr.size == msg_size) {
             dispatch_message(msg, chunk->hdr.port);
-        } else {
-            ASSERT(chunk->hdr.size < msg_size);
+        } else if (chunk->hdr.size < msg_size) {
             _in_msg = (VDAgentMessage*)new uint8_t[msg_size];
             memcpy(_in_msg, chunk->data, chunk->hdr.size);
             _in_msg_pos = chunk->hdr.size;
+        } else {
+            vd_printf("Invalid VDAgentMessage message");
+            _running = false;
+            return;
         }
+    } else if (chunk->hdr.size > sizeof(VDAgentMessage) + _in_msg->size - _in_msg_pos) {
+        vd_printf("Invalid VDAgentMessage message");
+        _running = false;
+        return;
     } else {
         memcpy((uint8_t*)_in_msg + _in_msg_pos, chunk->data, chunk->hdr.size);
         _in_msg_pos += chunk->hdr.size;
-- 
2.17.1

_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel




[Index of Archives]     [Linux Virtualization]     [Linux Virtualization]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]     [Monitors]