From: "Daniel P. Berrange" <berrange(a)redhat.com>
Missing bounds checking on array parameters is a security
issue for libvirtd, since it allows a client to make libvirtd
allocate unbounded memory.
Missing bounds checking on array return values is not a security
issue, but it is a robustness issue. If the RPC stream somehow
got corrupted, the client could end up allocating unbounded
memory.
The first patch in this series fixes the security flaw introduced
in version 1.1.0, and indentified during discussion of this patch:
https://www.redhat.com/archives/libvir-list/2013-August/msg00787.html
The remaining patches address the robustness issues, and add a test
suite to prevent this flaw recurring.
Daniel P. Berrange (12):
Add bounds checking on virDomainMigrate*Params RPC calls
(CVE-2013-4292)
Add bounds checking on virDomainGetJobStats RPC call
Add bounds checking on
virDomain{SnapshotListAllChildren,ListAllSnapshots} RPC calls
Add bounds checking on virConnectListAllDomains RPC call
Add bounds checking on virConnectListAllStoragePools RPC call
Add bounds checking on virStoragePoolListAllVolumes RPC call
Add bounds checking on virConnectListAllNetworks RPC call
Add bounds checking on virConnectListAllInterfaces RPC call
Add bounds checking on virConnectListAllNodeDevices RPC call
Add bounds checking on virConnectListAllNWFilters RPC call
Add bounds checking on virConnectListAllSecrets RPC call
Prohibit unbounded arrays in XDR protocols
cfg.mk | 6 ++
daemon/remote.c | 119 +++++++++++++++++++++++++++++++++++++++
src/remote/remote_driver.c | 130 +++++++++++++++++++++++++++++++++++++++++--
src/remote/remote_protocol.x | 108 ++++++++++++++++++-----------------
4 files changed, 304 insertions(+), 59 deletions(-)
--
1.8.3.1