[libvirt] [PATCH 01/10] uml: fix logic bug in checking reply length
Matthias Bolte
matthias.bolte at googlemail.com
Thu Aug 19 20:47:15 UTC 2010
2010/8/19 Eric Blake <eblake at redhat.com>:
> * src/uml/uml_driver.c (umlMonitorCommand): Validate that enough
> bytes were read to dereference both res.length, and that many
> bytes from res.data.
> Reported by Soren Hansen.
> ---
>
> Whoops; this is a resend of an unrelated issue, but it is still
> sitting on my tree, and the original email has no review yet,
> perhaps because it was in a reply to a longish thread.
>
> src/uml/uml_driver.c | 7 ++-----
> 1 files changed, 2 insertions(+), 5 deletions(-)
>
> diff --git a/src/uml/uml_driver.c b/src/uml/uml_driver.c
> index 04493ba..37ddc39 100644
> --- a/src/uml/uml_driver.c
> +++ b/src/uml/uml_driver.c
> @@ -737,14 +737,11 @@ static int umlMonitorCommand(const struct uml_driver *driver,
> virReportSystemError(errno, _("cannot read reply %s"), cmd);
> goto error;
> }
> - if (nbytes < sizeof res) {
> + if (nbytes < offsetof(struct monitor_request, data) ||
> + nbytes < res.length + offsetof(struct monitor_request, data)) {
You could reverse the order to
nbytes < offsetof(struct monitor_request, data) + res.length
to be in line with the layout of the data, but that's just me nit-picking here.
ACK.
Matthias
More information about the libvir-list
mailing list