libvirt_proxy: avoid potential buffer overflow

* proxy/libvirt_proxy.c (proxyReadClientSocket): Ensure that we've read an entire virProxyPacket before dereferencing "req". Analysis and patch by "Rasputin" <rasputin@email.ru>. Details in <http://thread.gmane.org/gmane.comp.emulators.libvirt/11459>.
2025-01-23 13:05:27 +00:00 · 2009-01-28 14:08:33 +00:00 · 2009-01-28 14:08:33 +00:00 · be33b189a5
commit be33b189a5
parent eb0849f370
2 changed files with 11 additions and 2 deletions
--- a/8
+++ b/8
@ -1,3 +1,11 @@
+Wed Jan 28 14:27:11 +0100 2009 Jim Meyering <meyering@redhat.com>
+
+	libvirt_proxy: avoid potential buffer overflow
+	* proxy/libvirt_proxy.c (proxyReadClientSocket): Ensure that
+	we've read an entire virProxyPacket before dereferencing "req".
+	Analysis and patch by "Rasputin" <rasputin@email.ru>.  Details in
+	<http://thread.gmane.org/gmane.comp.emulators.libvirt/11459>.
+
 Wed Jan 28 14:53:37 +0100 2009 Jim Meyering <meyering@redhat.com>

 	* po/POTFILES.in: Add src/lxc_conf.c
--- a/proxy/libvirt_proxy.c
+++ b/proxy/libvirt_proxy.c
@ -2,7 +2,7 @@
 * proxy_svr.c: root suid proxy server for Xen access to APIs with no
 *              side effects from unauthenticated clients.
 *
- * Copyright (C) 2006, 2007, 2008 Red Hat, Inc.
+ * Copyright (C) 2006, 2007, 2008, 2009 Red Hat, Inc.
 *
 * See COPYING.LIB for the License of this software
 *
@ -382,7 +382,8 @@ retry:
        fprintf(stderr, "read %d bytes from client %d on socket %d\n",
                ret, nr, pollInfos[nr].fd);

-    if ((req->version != PROXY_PROTO_VERSION) ||
+    if ((ret != sizeof(virProxyPacket)) ||
+        (req->version != PROXY_PROTO_VERSION) ||
        (req->len < sizeof(virProxyPacket)) ||
        (req->len > sizeof(virProxyFullPacket)))
        goto comm_error;