Other parts of the code assume peer_msg contains at least a fixed
structure so make sure server is sending enough data.
Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
---
src/spice-channel.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/spice-channel.c b/src/spice-channel.c
index c61bcbab..7e5b2e7f 100644
--- a/src/spice-channel.c
+++ b/src/spice-channel.c
@@ -1400,6 +1400,11 @@ static gboolean spice_channel_recv_link_hdr(SpiceChannel *channel)
c->peer_hdr.minor_version = GUINT32_FROM_LE(c->peer_hdr.minor_version);
c->peer_hdr.size = GUINT32_FROM_LE(c->peer_hdr.size);
+ if (c->peer_hdr.size < sizeof(*c->peer_msg)) {
+ g_warning("invalid peer header size: %u", c->peer_hdr.size);
+ goto error;
+ }
+
c->peer_msg = g_malloc0(c->peer_hdr.size);
if (c->peer_msg == NULL) {
g_warning("invalid peer header size: %u", c->peer_hdr.size);
--
2.17.2
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel