[libvirt] [PATCHv2-resend] uml: sanity check external data before using it
Otherwise, a malicious packet could cause a DoS via spurious out-of-memory failure. * src/uml/uml_driver.c (umlMonitorCommand): Validate that incoming data is reliable before using it to allocate/dereference memory. Don't report bogus errno on short read. Reported by Jim Meyering. --- While trying to flush some of my pending patches, I noticed that this one had never been given an ack. Originally at: https://www.redhat.com/archives/libvir-list/2010-March/msg00195.html src/uml/uml_driver.c | 12 ++++++------ 1 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/uml/uml_driver.c b/src/uml/uml_driver.c index 3111211..1cbd0bd 100644 --- a/src/uml/uml_driver.c +++ b/src/uml/uml_driver.c @@ -734,15 +734,15 @@ static int umlMonitorCommand(const struct uml_driver *driver, if (nbytes < 0) { if (errno == EAGAIN || errno == EINTR) continue; - virReportSystemError(errno, - _("cannot read reply %s"), - cmd); + virReportSystemError(errno, _("cannot read reply %s"), cmd); goto error; } if (nbytes < sizeof res) { - virReportSystemError(errno, - _("incomplete reply %s"), - cmd); + virReportSystemError(0, _("incomplete reply %s"), cmd); + goto error; + } + if (sizeof res.data < res.length) { + virReportSystemError(0, _("invalid length in reply %s"), cmd); goto error; } -- 1.7.0.1
2010/6/10 Eric Blake <eblake@redhat.com>:
Otherwise, a malicious packet could cause a DoS via spurious out-of-memory failure.
* src/uml/uml_driver.c (umlMonitorCommand): Validate that incoming data is reliable before using it to allocate/dereference memory. Don't report bogus errno on short read. Reported by Jim Meyering. ---
While trying to flush some of my pending patches, I noticed that this one had never been given an ack. Originally at: https://www.redhat.com/archives/libvir-list/2010-March/msg00195.html
src/uml/uml_driver.c | 12 ++++++------ 1 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/uml/uml_driver.c b/src/uml/uml_driver.c index 3111211..1cbd0bd 100644 --- a/src/uml/uml_driver.c +++ b/src/uml/uml_driver.c @@ -734,15 +734,15 @@ static int umlMonitorCommand(const struct uml_driver *driver, if (nbytes < 0) { if (errno == EAGAIN || errno == EINTR) continue; - virReportSystemError(errno, - _("cannot read reply %s"), - cmd); + virReportSystemError(errno, _("cannot read reply %s"), cmd); goto error; } if (nbytes < sizeof res) { - virReportSystemError(errno, - _("incomplete reply %s"), - cmd); + virReportSystemError(0, _("incomplete reply %s"), cmd); + goto error; + } + if (sizeof res.data < res.length) { + virReportSystemError(0, _("invalid length in reply %s"), cmd); goto error; }
-- 1.7.0.1
ACK. Matthias
On 06/10/2010 02:06 PM, Matthias Bolte wrote:
2010/6/10 Eric Blake <eblake@redhat.com>:
Otherwise, a malicious packet could cause a DoS via spurious out-of-memory failure.
* src/uml/uml_driver.c (umlMonitorCommand): Validate that incoming data is reliable before using it to allocate/dereference memory. Don't report bogus errno on short read. Reported by Jim Meyering. ---
ACK.
Thanks; pushed now. -- Eric Blake eblake@redhat.com +1-801-349-2682 Libvirt virtualization library http://libvirt.org
participants (2)
-
Eric Blake -
Matthias Bolte