Another not-really-urgent fix: From: Jim Meyering <meyering(a)redhat.com&gt; Date: Wed, 3 Mar 2010 16:50:02 +0100 Subject: [PATCH] don't let a bogus packet trigger over-allocation and segfault * src/xen/proxy_internal.c (xenProxyDomainDumpXML): An invalid packet could include a too-large "ans.len" value, which would make us allocate too much memory and then copy data from beyond the end of "ans", possibly evoking a segfault. Ensure that the value we use is no larger than the remaining portion of "ans". Also, change unnecessary memmove to memcpy (src and dest obviously do not overlap, so no need to use memmove). --- src/xen/proxy_internal.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/xen/proxy_internal.c b/src/xen/proxy_internal.c index 8e1c226..bd234ec 100644 --- a/src/xen/proxy_internal.c +++ b/src/xen/proxy_internal.c @@ -978,26 +978,27 @@ xenProxyDomainDumpXML(virDomainPtr domain, int flags ATTRIBUTE_UNUSED) memset(&req, 0, sizeof(req)); req.command = VIR_PROXY_DOMAIN_XML; req.data.arg = domain->id; req.len = sizeof(req); ret = xenProxyCommand(domain->conn, &req, &ans, 0); if (ret < 0) { return(NULL); } - if (ans.len <= sizeof(virProxyPacket)) { + if (ans.len <= sizeof(virProxyPacket) + || ans.len > sizeof (ans) - sizeof(virProxyPacket)) { virProxyError(domain->conn, VIR_ERR_OPERATION_FAILED, __FUNCTION__); return (NULL); } xmllen = ans.len - sizeof(virProxyPacket); if (VIR_ALLOC_N(xml, xmllen+1) < 0) { virReportOOMError(); return NULL; } - memmove(xml, &ans.extra.dinfo, xmllen); + memcpy(xml, &ans.extra.dinfo, xmllen); xml[xmllen] = '\0'; return(xml); } /** * xenProxyDomainGetOSType: * @domain: a domain object -- 1.7.0.1.464.g0adc7