[libvirt] [PATCH 2/2] remote: protect against integer overflow

Integer overflow and remote code are never a nice mix. This has existed since commit 56cd414. * src/libvirt.c (virDomainGetVcpus): Reject overflow up front. * src/remote/remote_driver.c (remoteDomainGetVcpus): Avoid overflow on sending rpc. * daemon/remote.c (remoteDispatchDomainGetVcpus): Avoid overflow on receiving rpc. --- Gnulib makes checking for multiply overflow easy. daemon/remote.c | 4 +++- src/libvirt.c | 5 +++-- src/remote/remote_driver.c | 4 +++- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/daemon/remote.c b/daemon/remote.c index 48624d6..8d04fc7 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -61,6 +61,7 @@ #include "network.h" #include "libvirt/libvirt-qemu.h" #include "command.h" +#include "intprops.h" #define VIR_FROM_THIS VIR_FROM_REMOTE @@ -1074,7 +1075,8 @@ remoteDispatchDomainGetVcpus(struct qemud_server *server ATTRIBUTE_UNUSED, goto cleanup; } - if (args->maxinfo * args->maplen > REMOTE_CPUMAPS_MAX) { + if (INT_MULTIPLY_OVERFLOW(args->maxinfo, args->maplen) || + args->maxinfo * args->maplen > REMOTE_CPUMAPS_MAX) { virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo * maplen > REMOTE_CPUMAPS_MAX")); goto cleanup; } diff --git a/src/libvirt.c b/src/libvirt.c index 76e16ad..9fe9a69 100644 --- a/src/libvirt.c +++ b/src/libvirt.c @@ -39,6 +39,7 @@ #include "util.h" #include "memory.h" #include "configmake.h" +#include "intprops.h" #ifndef WITH_DRIVER_MODULES # ifdef WITH_TEST @@ -7153,8 +7154,8 @@ virDomainGetVcpus(virDomainPtr domain, virVcpuInfoPtr info, int maxinfo, /* Ensure that domainGetVcpus (aka remoteDomainGetVcpus) does not try to memcpy anything into a NULL pointer. */ - if ((cpumaps == NULL && maplen != 0) - || (cpumaps && maplen <= 0)) { + if (!cpumaps ? maplen != 0 + : (maplen <= 0 || INT_MULTIPLY_OVERFLOW(maxinfo, maplen))) { virLibDomainError(VIR_ERR_INVALID_ARG, __FUNCTION__); goto error; } diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c index a7ac90a..f2edf43 100644 --- a/src/remote/remote_driver.c +++ b/src/remote/remote_driver.c @@ -83,6 +83,7 @@ #include "ignore-value.h" #include "files.h" #include "command.h" +#include "intprops.h" #define VIR_FROM_THIS VIR_FROM_REMOTE @@ -2161,7 +2162,8 @@ remoteDomainGetVcpus (virDomainPtr domain, maxinfo, REMOTE_VCPUINFO_MAX); goto done; } - if (maxinfo * maplen > REMOTE_CPUMAPS_MAX) { + if (INT_MULTIPLY_OVERFLOW(maxinfo, maplen) || + maxinfo * maplen > REMOTE_CPUMAPS_MAX) { remoteError(VIR_ERR_RPC, _("vCPU map buffer length exceeds maximum: %d > %d"), maxinfo * maplen, REMOTE_CPUMAPS_MAX); -- 1.7.4.4