Otherwise, a malicious packet could cause a DoS via spurious out-of-memory failure. * src/uml/uml_driver.c (umlMonitorCommand): Validate that incoming data is reliable before using it to allocate/dereference memory. Don't report bogus errno on short read. Reported by Jim Meyering. --- While trying to flush some of my pending patches, I noticed that this one had never been given an ack.  Originally at: https://www.redhat.com/archives/libvir-list/2010-March/msg00195.html  src/uml/uml_driver.c |   12 ++++++------  1 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/uml/uml_driver.c b/src/uml/uml_driver.c index 3111211..1cbd0bd 100644 --- a/src/uml/uml_driver.c +++ b/src/uml/uml_driver.c @@ -734,15 +734,15 @@ static int umlMonitorCommand(const struct uml_driver *driver,         if (nbytes < 0) {             if (errno == EAGAIN || errno == EINTR)                 continue; -            virReportSystemError(errno, -                                 _("cannot read reply %s"), -                                 cmd); +            virReportSystemError(errno, _("cannot read reply %s"), cmd);             goto error;         }         if (nbytes < sizeof res) { -            virReportSystemError(errno, -                                 _("incomplete reply %s"), -                                 cmd); +            virReportSystemError(0, _("incomplete reply %s"), cmd); +            goto error; +        } +        if (sizeof res.data < res.length) { +            virReportSystemError(0, _("invalid length in reply %s"), cmd);             goto error;         } -- 1.7.0.1