[PATCH spice-gtk 1/2] spice-channel: Check minumum size of peer_msg

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Other parts of the code assume peer_msg contains at least a fixed
structure so make sure server is sending enough data.

Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
---
 src/spice-channel.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/spice-channel.c b/src/spice-channel.c
index c61bcbab..7e5b2e7f 100644
--- a/src/spice-channel.c
+++ b/src/spice-channel.c
@@ -1400,6 +1400,11 @@ static gboolean spice_channel_recv_link_hdr(SpiceChannel *channel)
     c->peer_hdr.minor_version = GUINT32_FROM_LE(c->peer_hdr.minor_version);
     c->peer_hdr.size = GUINT32_FROM_LE(c->peer_hdr.size);
 
+    if (c->peer_hdr.size < sizeof(*c->peer_msg)) {
+        g_warning("invalid peer header size: %u", c->peer_hdr.size);
+        goto error;
+    }
+
     c->peer_msg = g_malloc0(c->peer_hdr.size);
     if (c->peer_msg == NULL) {
         g_warning("invalid peer header size: %u", c->peer_hdr.size);
-- 
2.17.2

_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel




[Index of Archives]     [Linux Virtualization]     [Linux Virtualization]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]     [Monitors]