Re: [libvirt] [PATCH] proxy: Fix use of uninitalized memory

On short read, members of packet header are checked before actually read. If uninitialized values can pass the test, they can be set to arbitrary values while reading remaining portion of a packet. Buffer overflow is possible. libvirt_proxy is suid-root. diff -urp libvirt-0.5.1/proxy/libvirt_proxy.c libvirt-dev/proxy/libvirt_proxy.c --- libvirt-0.5.1/proxy/libvirt_proxy.c 2008-11-20 08:58:43.000000000 +0100 +++ libvirt-dev/proxy/libvirt_proxy.c 2009-01-25 12:51:33.000000000 +0100 @@ -385,7 +385,8 @@ retry: fprintf(stderr, "read %d bytes from client %d on socket %d\n", ret, nr, pollInfos[nr].fd); - if ((req->version != PROXY_PROTO_VERSION) || + if ((ret != sizeof(virProxyPacket)) || + (req->version != PROXY_PROTO_VERSION) || (req->len < sizeof(virProxyPacket)) || (req->len > sizeof(virProxyFullPacket))) goto comm_error;