External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-01-03 11:35:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

uml: fix logic bug in checking reply length

Browse Source 
* src/uml/uml_driver.c (umlMonitorCommand): Validate that enough
bytes were read to dereference both res.length, and that many
bytes from res.data.
Reported by Soren Hansen.
This commit is contained in:
Eric Blake 2010-08-16 15:21:38 -06:00
parent 52baf647ca
commit 3223871e2e
1 changed files with 3 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/uml/uml_driver.c
View File

@ -737,14 +737,12 @@ static int umlMonitorCommand(const struct uml_driver *driver,
virReportSystemError(errno, _("cannot read reply %s"), cmd);
goto error;
}
if (nbytes < sizeof res) {
/* Ensure res.length is safe to read before validating its value. */
if (nbytes < offsetof(struct monitor_request, data) ||
nbytes < offsetof(struct monitor_request, data) + res.length) {
virReportSystemError(0, _("incomplete reply %s"), cmd);
goto error;
}
if (sizeof res.data < res.length) {
virReportSystemError(0, _("invalid length in reply %s"), cmd);
goto error;
}
if (VIR_REALLOC_N(retdata, retlen + res.length) < 0) {
virReportOOMError();