According to Jim Meyering on 3/3/2010 9:26 AM:
Another not-really-urgent fix:
Not sure whether this is 0.7.7 material to plug the crash, or whether it can wait. Either way,...
Subject: [PATCH] xen: don't let bogus packets trigger over-allocation and segfault
if (ans.data.arg == -1) return NULL; - if (ans.len <= sizeof(virProxyPacket)) { + if (ans.len <= sizeof(virProxyPacket) + || ans.len > sizeof (ans) - sizeof(virProxyPacket)) { virProxyError(conn, VIR_ERR_OPERATION_FAILED, __FUNCTION__); return NULL; }
xmllen = ans.len - sizeof (virProxyPacket); if (VIR_ALLOC_N(xml, xmllen+1) < 0) { virReportOOMError(); return NULL; } - memmove (xml, ans.extra.str, xmllen); + memcpy (xml, ans.extra.str, xmllen);
ACK to all three portions of the squashed patch. -- Eric Blake eblake@redhat.com +1-801-349-2682 Libvirt virtualization library http://libvirt.org