Re: [libvirt] [PATCH] uml: sanity check external data before using it
Eric Blake wrote:
Otherwise, a malicious packet could cause a DoS via spurious
out-of-memory failure.
* src/uml/uml_driver.c (umlMonitorCommand): Validate that incoming
data is reliable before using it to allocate/dereference memory.
Don't report bogus errno on short read.
Reported by Jim Meyering.
---
src/uml/uml_driver.c | 8 +++++++-
1 files changed, 7 insertions(+), 1 deletions(-)
diff --git a/src/uml/uml_driver.c b/src/uml/uml_driver.c
index eec239f..130d1ae 100644
--- a/src/uml/uml_driver.c
+++ b/src/uml/uml_driver.c
@@ -746,11 +746,17 @@ static int umlMonitorCommand(virConnectPtr conn,
goto error;
}
if (nbytes < sizeof res) {
- virReportSystemError(errno,
+ virReportSystemError(0,
_("incomplete reply %s"),
cmd);
goto error;
}
+ if (sizeof res < res.length) {
+ virReportSystemError(0,
+ _("invalid length in reply %s"),
+ cmd);
+ goto error;
+ }
Thanks.
That looks perfect. ACK.
Hmm... while you're there, you might want to save 4 lines by joining
those unnecessarily-continued ones:
virReportSystemError(0, _("invalid length in reply %s"), cmd);