[libvirt] [PATCH] don't let a bogus packet trigger over-allocation and segfault

Jim Meyering jim at meyering.net
Wed Mar 3 16:26:02 UTC 2010 

Jim Meyering wrote:

> Jim Meyering wrote:
>> Another not-really-urgent fix:
> ...
>> Subject: [PATCH] don't let a bogus packet trigger over-allocation and segfault
>>
>> * src/xen/proxy_internal.c (xenProxyDomainDumpXML): An invalid packet
>> could include a too-large "ans.len" value, which would make us allocate
>> too much memory and then copy data from beyond the end of "ans",
>> possibly evoking a segfault.  Ensure that the value we use is no
>> larger than the remaining portion of "ans".
>> Also, change unnecessary memmove to memcpy (src and dest obviously
>> do not overlap, so no need to use memmove).
>
> Here's another.
> It is nearly identical, so I'll squash it onto the above.

And here's a third one from that file:

>From 717e7129572cafb072dccd5c0a49940801a99f7b Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering at redhat.com>
Date: Wed, 3 Mar 2010 17:24:17 +0100
Subject: [PATCH] xen: don't let bogus packets trigger over-allocation and segfault

...
(xenProxyGetCapabilities): Likewise.
---
 src/xen/proxy_internal.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/xen/proxy_internal.c b/src/xen/proxy_internal.c
index 8cb8896..be79d56 100644
--- a/src/xen/proxy_internal.c
+++ b/src/xen/proxy_internal.c
@@ -927,27 +927,28 @@ xenProxyGetCapabilities (virConnectPtr conn)
     req.data.arg = 0;
     req.len = sizeof(req);
     ret = xenProxyCommand(conn, &req, &ans, 0);
     if (ret < 0) {
         return NULL;
     }
     if (ans.data.arg == -1)
         return NULL;
-    if (ans.len <= sizeof(virProxyPacket)) {
+    if (ans.len <= sizeof(virProxyPacket)
+        || ans.len > sizeof (ans) - sizeof(virProxyPacket)) {
         virProxyError(conn, VIR_ERR_OPERATION_FAILED, __FUNCTION__);
         return NULL;
     }

     xmllen = ans.len - sizeof (virProxyPacket);
     if (VIR_ALLOC_N(xml, xmllen+1) < 0) {
         virReportOOMError();
         return NULL;
     }
-    memmove (xml, ans.extra.str, xmllen);
+    memcpy (xml, ans.extra.str, xmllen);
     xml[xmllen] = '\0';

     return xml;
 }

 /**
  * xenProxyDomainDumpXML:
  * @domain: a domain object
--
1.7.0.1.464.g0adc7

More information about the libvir-list mailing list