Jim Meyering wrote:
Another not-really-urgent fix: ... Subject: [PATCH] don't let a bogus packet trigger over-allocation and segfault
* src/xen/proxy_internal.c (xenProxyDomainDumpXML): An invalid packet could include a too-large "ans.len" value, which would make us allocate too much memory and then copy data from beyond the end of "ans", possibly evoking a segfault. Ensure that the value we use is no larger than the remaining portion of "ans". Also, change unnecessary memmove to memcpy (src and dest obviously do not overlap, so no need to use memmove).
Here's another. It is nearly identical, so I'll squash it onto the above.
From 3e89214bb9d4c42e683fb3fe2ff5a46a0988730f Mon Sep 17 00:00:00 2001 From: Jim Meyering <meyering@redhat.com> Date: Wed, 3 Mar 2010 17:20:33 +0100 Subject: [PATCH] xen: don't let bogus packets trigger over-allocation and segfault
* src/xen/proxy_internal.c (xenProxyDomainGetOSType): Likewise. --- src/xen/proxy_internal.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/xen/proxy_internal.c b/src/xen/proxy_internal.c index bd234ec..8cb8896 100644 --- a/src/xen/proxy_internal.c +++ b/src/xen/proxy_internal.c @@ -1034,22 +1034,23 @@ xenProxyDomainGetOSType(virDomainPtr domain) } if ((ans.len == sizeof(virProxyPacket)) && (ans.data.arg < 0)) { virRaiseError (domain->conn, NULL, NULL, VIR_FROM_REMOTE, VIR_ERR_OPERATION_FAILED, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, "%s", _("Cannot get domain details")); return(NULL); } - if (ans.len <= sizeof(virProxyPacket)) { + if (ans.len <= sizeof(virProxyPacket) + || ans.len > sizeof (ans) - sizeof(virProxyPacket)) { virProxyError(domain->conn, VIR_ERR_OPERATION_FAILED, __FUNCTION__); return (NULL); } oslen = ans.len - sizeof(virProxyPacket); if (VIR_ALLOC_N(ostype, oslen+1) < 0) { virReportOOMError(); return NULL; } - memmove(ostype, &ans.extra.dinfo, oslen); + memcpy(ostype, &ans.extra.dinfo, oslen); ostype[oslen] = '\0'; return(ostype); } -- 1.7.0.1.464.g0adc7