[libvirt] [PATCHv2-resend] uml: sanity check external data before using it
Matthias Bolte
matthias.bolte at googlemail.com
Thu Jun 10 20:06:25 UTC 2010
2010/6/10 Eric Blake <eblake at redhat.com>:
> Otherwise, a malicious packet could cause a DoS via spurious
> out-of-memory failure.
>
> * src/uml/uml_driver.c (umlMonitorCommand): Validate that incoming
> data is reliable before using it to allocate/dereference memory.
> Don't report bogus errno on short read.
> Reported by Jim Meyering.
> ---
>
> While trying to flush some of my pending patches, I noticed that
> this one had never been given an ack. Originally at:
> https://www.redhat.com/archives/libvir-list/2010-March/msg00195.html
>
>
> src/uml/uml_driver.c | 12 ++++++------
> 1 files changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/src/uml/uml_driver.c b/src/uml/uml_driver.c
> index 3111211..1cbd0bd 100644
> --- a/src/uml/uml_driver.c
> +++ b/src/uml/uml_driver.c
> @@ -734,15 +734,15 @@ static int umlMonitorCommand(const struct uml_driver *driver,
> if (nbytes < 0) {
> if (errno == EAGAIN || errno == EINTR)
> continue;
> - virReportSystemError(errno,
> - _("cannot read reply %s"),
> - cmd);
> + virReportSystemError(errno, _("cannot read reply %s"), cmd);
> goto error;
> }
> if (nbytes < sizeof res) {
> - virReportSystemError(errno,
> - _("incomplete reply %s"),
> - cmd);
> + virReportSystemError(0, _("incomplete reply %s"), cmd);
> + goto error;
> + }
> + if (sizeof res.data < res.length) {
> + virReportSystemError(0, _("invalid length in reply %s"), cmd);
> goto error;
> }
>
> --
> 1.7.0.1
>
ACK.
Matthias
More information about the libvir-list
mailing list