[libvirt] [PATCH] uml: sanity check external data before using it

Jim Meyering jim at meyering.net
Wed Mar 3 16:41:36 UTC 2010


Eric Blake wrote:
> Otherwise, a malicious packet could cause a DoS via spurious
> out-of-memory failure.
>
> * src/uml/uml_driver.c (umlMonitorCommand): Validate that incoming
> data is reliable before using it to allocate/dereference memory.
> Don't report bogus errno on short read.
> Reported by Jim Meyering.
> ---
>  src/uml/uml_driver.c |    8 +++++++-
>  1 files changed, 7 insertions(+), 1 deletions(-)
>
> diff --git a/src/uml/uml_driver.c b/src/uml/uml_driver.c
> index eec239f..130d1ae 100644
> --- a/src/uml/uml_driver.c
> +++ b/src/uml/uml_driver.c
> @@ -746,11 +746,17 @@ static int umlMonitorCommand(virConnectPtr conn,
>              goto error;
>          }
>          if (nbytes < sizeof res) {
> -            virReportSystemError(errno,
> +            virReportSystemError(0,
>                                   _("incomplete reply %s"),
>                                   cmd);
>              goto error;
>          }
> +        if (sizeof res < res.length) {
> +            virReportSystemError(0,
> +                                 _("invalid length in reply %s"),
> +                                 cmd);
> +            goto error;
> +        }

Thanks.
That looks perfect.  ACK.

Hmm... while you're there, you might want to save 4 lines by joining
those unnecessarily-continued ones:

           virReportSystemError(0, _("invalid length in reply %s"), cmd);




More information about the libvir-list mailing list