mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-11 23:37:42 +00:00
xen: don't let bogus packets trigger over-allocation and segfault
* src/xen/proxy_internal.c (xenProxyDomainDumpXML): An invalid packet could include a too-large "ans.len" value, which would make us allocate too much memory and then copy data from beyond the end of "ans", possibly evoking a segfault. Ensure that the value we use is no larger than the remaining portion of "ans". Also, change unnecessary memmove to memcpy (src and dest obviously do not overlap, so no need to use memmove). (xenProxyDomainGetOSType): Likewise. (xenProxyGetCapabilities): Likewise.
This commit is contained in:
parent
4697def66b
commit
ba918ac1b4
@ -932,7 +932,8 @@ xenProxyGetCapabilities (virConnectPtr conn)
|
|||||||
}
|
}
|
||||||
if (ans.data.arg == -1)
|
if (ans.data.arg == -1)
|
||||||
return NULL;
|
return NULL;
|
||||||
if (ans.len <= sizeof(virProxyPacket)) {
|
if (ans.len <= sizeof(virProxyPacket)
|
||||||
|
|| ans.len > sizeof (ans) - sizeof(virProxyPacket)) {
|
||||||
virProxyError(conn, VIR_ERR_OPERATION_FAILED, __FUNCTION__);
|
virProxyError(conn, VIR_ERR_OPERATION_FAILED, __FUNCTION__);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
@ -942,7 +943,7 @@ xenProxyGetCapabilities (virConnectPtr conn)
|
|||||||
virReportOOMError();
|
virReportOOMError();
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
memmove (xml, ans.extra.str, xmllen);
|
memcpy (xml, ans.extra.str, xmllen);
|
||||||
xml[xmllen] = '\0';
|
xml[xmllen] = '\0';
|
||||||
|
|
||||||
return xml;
|
return xml;
|
||||||
@ -983,7 +984,8 @@ xenProxyDomainDumpXML(virDomainPtr domain, int flags ATTRIBUTE_UNUSED)
|
|||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
return(NULL);
|
return(NULL);
|
||||||
}
|
}
|
||||||
if (ans.len <= sizeof(virProxyPacket)) {
|
if (ans.len <= sizeof(virProxyPacket)
|
||||||
|
|| ans.len > sizeof (ans) - sizeof(virProxyPacket)) {
|
||||||
virProxyError(domain->conn, VIR_ERR_OPERATION_FAILED, __FUNCTION__);
|
virProxyError(domain->conn, VIR_ERR_OPERATION_FAILED, __FUNCTION__);
|
||||||
return (NULL);
|
return (NULL);
|
||||||
}
|
}
|
||||||
@ -992,7 +994,7 @@ xenProxyDomainDumpXML(virDomainPtr domain, int flags ATTRIBUTE_UNUSED)
|
|||||||
virReportOOMError();
|
virReportOOMError();
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
memmove(xml, &ans.extra.dinfo, xmllen);
|
memcpy(xml, &ans.extra.dinfo, xmllen);
|
||||||
xml[xmllen] = '\0';
|
xml[xmllen] = '\0';
|
||||||
|
|
||||||
return(xml);
|
return(xml);
|
||||||
@ -1038,7 +1040,8 @@ xenProxyDomainGetOSType(virDomainPtr domain)
|
|||||||
return(NULL);
|
return(NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ans.len <= sizeof(virProxyPacket)) {
|
if (ans.len <= sizeof(virProxyPacket)
|
||||||
|
|| ans.len > sizeof (ans) - sizeof(virProxyPacket)) {
|
||||||
virProxyError(domain->conn, VIR_ERR_OPERATION_FAILED, __FUNCTION__);
|
virProxyError(domain->conn, VIR_ERR_OPERATION_FAILED, __FUNCTION__);
|
||||||
return (NULL);
|
return (NULL);
|
||||||
}
|
}
|
||||||
@ -1047,7 +1050,7 @@ xenProxyDomainGetOSType(virDomainPtr domain)
|
|||||||
virReportOOMError();
|
virReportOOMError();
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
memmove(ostype, &ans.extra.dinfo, oslen);
|
memcpy(ostype, &ans.extra.dinfo, oslen);
|
||||||
ostype[oslen] = '\0';
|
ostype[oslen] = '\0';
|
||||||
|
|
||||||
return(ostype);
|
return(ostype);
|
||||||
|
Loading…
x
Reference in New Issue
Block a user