Re: [libvirt] [PATCH] don't let a bogus packet trigger over-allocation and segfault
Jim Meyering wrote:
Jim Meyering wrote:
> Another not-really-urgent fix:
...
> Subject: [PATCH] don't let a bogus packet trigger over-allocation and segfault
>
> * src/xen/proxy_internal.c (xenProxyDomainDumpXML): An invalid packet
> could include a too-large "ans.len" value, which would make us allocate
> too much memory and then copy data from beyond the end of "ans",
> possibly evoking a segfault. Ensure that the value we use is no
> larger than the remaining portion of "ans".
> Also, change unnecessary memmove to memcpy (src and dest obviously
> do not overlap, so no need to use memmove).
Here's another.
It is nearly identical, so I'll squash it onto the above.
And here's a third one from that file:
From 717e7129572cafb072dccd5c0a49940801a99f7b Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering(a)redhat.com>
Date: Wed, 3 Mar 2010 17:24:17 +0100
Subject: [PATCH] xen: don't let bogus packets trigger over-allocation and segfault
...
(xenProxyGetCapabilities): Likewise.
---
src/xen/proxy_internal.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/xen/proxy_internal.c b/src/xen/proxy_internal.c
index 8cb8896..be79d56 100644
--- a/src/xen/proxy_internal.c
+++ b/src/xen/proxy_internal.c
@@ -927,27 +927,28 @@ xenProxyGetCapabilities (virConnectPtr conn)
req.data.arg = 0;
req.len = sizeof(req);
ret = xenProxyCommand(conn, &req, &ans, 0);
if (ret < 0) {
return NULL;
}
if (ans.data.arg == -1)
return NULL;
- if (ans.len <= sizeof(virProxyPacket)) {
+ if (ans.len <= sizeof(virProxyPacket)
+ || ans.len > sizeof (ans) - sizeof(virProxyPacket)) {
virProxyError(conn, VIR_ERR_OPERATION_FAILED, __FUNCTION__);
return NULL;
}
xmllen = ans.len - sizeof (virProxyPacket);
if (VIR_ALLOC_N(xml, xmllen+1) < 0) {
virReportOOMError();
return NULL;
}
- memmove (xml, ans.extra.str, xmllen);
+ memcpy (xml, ans.extra.str, xmllen);
xml[xmllen] = '\0';
return xml;
}
/**
* xenProxyDomainDumpXML:
* @domain: a domain object
--
1.7.0.1.464.g0adc7