diff --git a/NEWS.rst b/NEWS.rst index ac64cf6974..69258880d2 100644 --- a/NEWS.rst +++ b/NEWS.rst @@ -13,6 +13,21 @@ v10.1.0 (unreleased) * **Security** + * ``CVE-2024-1441``: Fix off-by-one error leading to a crash + + In **libvirt-1.0.0** there were couple of interface listing APIs + introduced which had an off-by-one error. That error could lead to a + very rare crash if an array was passed to those functions which did + not fit all the interfaces. + + In **libvirt-5.10** a check for non-NULL arrays has been adjusted to + allow for NULL arrays with size 0 instead of rejecting all NULL + arrays. However that made the above issue significantly worse since + that off-by-one error now did not write beyond an array, but + dereferenced said NULL pointer making the crash certain in a + specific scenario in which a NULL array of size 0 was passed to the + aforementioned functions. + * **Removed features** * **New features** diff --git a/src/interface/interface_backend_udev.c b/src/interface/interface_backend_udev.c index fb6799ed94..4091483060 100644 --- a/src/interface/interface_backend_udev.c +++ b/src/interface/interface_backend_udev.c @@ -222,7 +222,7 @@ udevListInterfacesByStatus(virConnectPtr conn, g_autoptr(virInterfaceDef) def = NULL; /* Ensure we won't exceed the size of our array */ - if (count > names_len) + if (count >= names_len) break; path = udev_list_entry_get_name(dev_entry);