External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-03-07 17:28:15 +00:00
Code

remote: protect against integer overflow

Browse Source 
Integer overflow and remote code are never a nice mix.

This has existed since commit 56cd414.

* src/libvirt.c (virDomainGetVcpus): Reject overflow up front.
* src/remote/remote_driver.c (remoteDomainGetVcpus): Avoid overflow
on sending rpc.
* daemon/remote.c (remoteDispatchDomainGetVcpus): Avoid overflow on
receiving rpc.
This commit is contained in:
Eric Blake 2011-06-24 12:16:05 -06:00
parent 89d994ad6b
commit 774b21c163
3 changed files with 9 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
daemon/remote.c
View File

@ -61,6 +61,7 @@
#include "network.h" #include "network.h"
#include "libvirt/libvirt-qemu.h" #include "libvirt/libvirt-qemu.h"
#include "command.h" #include "command.h"
#include "intprops.h"
#define VIR_FROM_THIS VIR_FROM_REMOTE #define VIR_FROM_THIS VIR_FROM_REMOTE
@ -1074,7 +1075,8 @@ remoteDispatchDomainGetVcpus(struct qemud_server *server ATTRIBUTE_UNUSED,
goto cleanup; goto cleanup;
} }
if (args->maxinfo * args->maplen > REMOTE_CPUMAPS_MAX) { if (INT_MULTIPLY_OVERFLOW(args->maxinfo, args->maplen) ||
args->maxinfo * args->maplen > REMOTE_CPUMAPS_MAX) {
virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo * maplen > REMOTE_CPUMAPS_MAX")); virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo * maplen > REMOTE_CPUMAPS_MAX"));
goto cleanup; goto cleanup;
} }

5
src/libvirt.c
View File

@ -39,6 +39,7 @@
#include "util.h" #include "util.h"
#include "memory.h" #include "memory.h"
#include "configmake.h" #include "configmake.h"
#include "intprops.h"
#ifndef WITH_DRIVER_MODULES #ifndef WITH_DRIVER_MODULES
# ifdef WITH_TEST # ifdef WITH_TEST
@ -7153,8 +7154,8 @@ virDomainGetVcpus(virDomainPtr domain, virVcpuInfoPtr info, int maxinfo,
/* Ensure that domainGetVcpus (aka remoteDomainGetVcpus) does not /* Ensure that domainGetVcpus (aka remoteDomainGetVcpus) does not
try to memcpy anything into a NULL pointer. */ try to memcpy anything into a NULL pointer. */
if ((cpumaps == NULL && maplen != 0) if (!cpumaps ? maplen != 0
|| (cpumaps && maplen <= 0)) { : (maplen <= 0 || INT_MULTIPLY_OVERFLOW(maxinfo, maplen))) {
virLibDomainError(VIR_ERR_INVALID_ARG, __FUNCTION__); virLibDomainError(VIR_ERR_INVALID_ARG, __FUNCTION__);
goto error; goto error;
} }

4
src/remote/remote_driver.c
View File

@ -83,6 +83,7 @@
#include "ignore-value.h" #include "ignore-value.h"
#include "files.h" #include "files.h"
#include "command.h" #include "command.h"
#include "intprops.h"
#define VIR_FROM_THIS VIR_FROM_REMOTE #define VIR_FROM_THIS VIR_FROM_REMOTE
@ -2161,7 +2162,8 @@ remoteDomainGetVcpus (virDomainPtr domain,
maxinfo, REMOTE_VCPUINFO_MAX); maxinfo, REMOTE_VCPUINFO_MAX);
goto done; goto done;
} }
if (maxinfo * maplen > REMOTE_CPUMAPS_MAX) { if (INT_MULTIPLY_OVERFLOW(maxinfo, maplen) ||
maxinfo * maplen > REMOTE_CPUMAPS_MAX) {
remoteError(VIR_ERR_RPC, remoteError(VIR_ERR_RPC,
_("vCPU map buffer length exceeds maximum: %d > %d"), _("vCPU map buffer length exceeds maximum: %d > %d"),
maxinfo * maplen, REMOTE_CPUMAPS_MAX); maxinfo * maplen, REMOTE_CPUMAPS_MAX);