[libvirt] [PATCH] don't let a bogus packet trigger over-allocation and segfault
Eric Blake
eblake at redhat.com
Wed Mar 3 16:44:00 UTC 2010
According to Jim Meyering on 3/3/2010 9:26 AM:
>>> Another not-really-urgent fix:
Not sure whether this is 0.7.7 material to plug the crash, or whether it
can wait. Either way,...
> Subject: [PATCH] xen: don't let bogus packets trigger over-allocation and segfault
>
> if (ans.data.arg == -1)
> return NULL;
> - if (ans.len <= sizeof(virProxyPacket)) {
> + if (ans.len <= sizeof(virProxyPacket)
> + || ans.len > sizeof (ans) - sizeof(virProxyPacket)) {
> virProxyError(conn, VIR_ERR_OPERATION_FAILED, __FUNCTION__);
> return NULL;
> }
>
> xmllen = ans.len - sizeof (virProxyPacket);
> if (VIR_ALLOC_N(xml, xmllen+1) < 0) {
> virReportOOMError();
> return NULL;
> }
> - memmove (xml, ans.extra.str, xmllen);
> + memcpy (xml, ans.extra.str, xmllen);
ACK to all three portions of the squashed patch.
--
Eric Blake eblake at redhat.com +1-801-349-2682
Libvirt virtualization library http://libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 320 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20100303/999b8b36/attachment-0001.sig>
More information about the libvir-list
mailing list