[libvirt] [PATCH] don't let a bogus packet trigger over-allocation and segfault
Jim Meyering
jim at meyering.net
Wed Mar 3 16:21:56 UTC 2010
Jim Meyering wrote:
> Another not-really-urgent fix:
...
> Subject: [PATCH] don't let a bogus packet trigger over-allocation and segfault
>
> * src/xen/proxy_internal.c (xenProxyDomainDumpXML): An invalid packet
> could include a too-large "ans.len" value, which would make us allocate
> too much memory and then copy data from beyond the end of "ans",
> possibly evoking a segfault. Ensure that the value we use is no
> larger than the remaining portion of "ans".
> Also, change unnecessary memmove to memcpy (src and dest obviously
> do not overlap, so no need to use memmove).
Here's another.
It is nearly identical, so I'll squash it onto the above.
>From 3e89214bb9d4c42e683fb3fe2ff5a46a0988730f Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering at redhat.com>
Date: Wed, 3 Mar 2010 17:20:33 +0100
Subject: [PATCH] xen: don't let bogus packets trigger over-allocation and segfault
* src/xen/proxy_internal.c (xenProxyDomainGetOSType): Likewise.
---
src/xen/proxy_internal.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/xen/proxy_internal.c b/src/xen/proxy_internal.c
index bd234ec..8cb8896 100644
--- a/src/xen/proxy_internal.c
+++ b/src/xen/proxy_internal.c
@@ -1034,22 +1034,23 @@ xenProxyDomainGetOSType(virDomainPtr domain)
}
if ((ans.len == sizeof(virProxyPacket)) && (ans.data.arg < 0)) {
virRaiseError (domain->conn, NULL, NULL, VIR_FROM_REMOTE,
VIR_ERR_OPERATION_FAILED, VIR_ERR_ERROR, NULL, NULL,
NULL, 0, 0, "%s", _("Cannot get domain details"));
return(NULL);
}
- if (ans.len <= sizeof(virProxyPacket)) {
+ if (ans.len <= sizeof(virProxyPacket)
+ || ans.len > sizeof (ans) - sizeof(virProxyPacket)) {
virProxyError(domain->conn, VIR_ERR_OPERATION_FAILED, __FUNCTION__);
return (NULL);
}
oslen = ans.len - sizeof(virProxyPacket);
if (VIR_ALLOC_N(ostype, oslen+1) < 0) {
virReportOOMError();
return NULL;
}
- memmove(ostype, &ans.extra.dinfo, oslen);
+ memcpy(ostype, &ans.extra.dinfo, oslen);
ostype[oslen] = '\0';
return(ostype);
}
--
1.7.0.1.464.g0adc7
More information about the libvir-list
mailing list