[libvirt] [PATCH] uml: fix logic bug in checking reply length

* src/uml/uml_driver.c (umlMonitorCommand): Validate that enough bytes were read to dereference both res.length, and that many bytes from res.data. Reported by Soren Hansen. --- I'll wait for a third-party ack before pushing this. Meanwhile, I discovered a bug in Solaris' implementation of offsetof. POSIX requires that offsetof be an integer constant expression, which means that: sizeof offsetof(a,b) should compile. But Solaris (and probably other buggy systems) used too few parens in their macro, and you have to use: sizeof(offsetof(a,b)) instead. Interesting trivia, but at least it doesn't affect any of libvirt's existing uses of offsetof. src/uml/uml_driver.c | 7 ++----- 1 files changed, 2 insertions(+), 5 deletions(-) diff --git a/src/uml/uml_driver.c b/src/uml/uml_driver.c index 04493ba..37ddc39 100644 --- a/src/uml/uml_driver.c +++ b/src/uml/uml_driver.c @@ -737,14 +737,11 @@ static int umlMonitorCommand(const struct uml_driver *driver, virReportSystemError(errno, _("cannot read reply %s"), cmd); goto error; } - if (nbytes < sizeof res) { + if (nbytes < offsetof(struct monitor_request, data) || + nbytes < res.length + offsetof(struct monitor_request, data)) { virReportSystemError(0, _("incomplete reply %s"), cmd); goto error; } - if (sizeof res.data < res.length) { - virReportSystemError(0, _("invalid length in reply %s"), cmd); - goto error; - } if (VIR_REALLOC_N(retdata, retlen + res.length) < 0) { virReportOOMError(); -- 1.7.2.1