Re: [PATCH] remote: check for negative array lengths before allocation

While the C API entry points will validate non-negative lengths for various parameters, the RPC server de-serialization code will need to allocate memory for arrays before entering the C API. These allocations will thus happen before the non-negative length check is performed. Passing a negative length to the g_new0 function will usually result in a crash due to the negative length being treated as a huge positive number. This was found and diagnosed by ALT Linux Team with AFLplusplus. CVE-2024-2494 Found-by: Alexandr Shashkin <dutyrok(a)altlinux.org&gt; Co-developed-by: Alexander Kuznetsov <kuznetsovam(a)altlinux.org&gt; Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com&gt; --- src/remote/remote_daemon_dispatch.c | 65 +++++++++++++++++++++++++++++ src/rpc/gendispatch.pl | 5 +++ 2 files changed, 70 insertions(+)