qemu restore: don't let corrupt input provoke unwarranted OOM

* src/qemu/qemu_driver.c (qemudDomainRestore): A corrupt save file (in particular, a too-large header.xml_len value) would cause an unwarranted out-of-memory error. Do not trust the just-read header.xml_len. Instead, merely use that as a hint, and read/allocate up to that number of bytes from the file. Also verify that header.xml_len is positive; if it were negative, passing it to virFileReadLimFD could cause trouble.

qemu restore: don't let corrupt input provoke unwarranted OOM
* src/qemu/qemu_driver.c (qemudDomainRestore): A corrupt save file (in particular, a too-large header.xml_len value) would cause an unwarranted out-of-memory error. Do not trust the just-read header.xml_len. Instead, merely use that as a hint, and read/allocate up to that number of bytes from the file. Also verify that header.xml_len is positive; if it were negative, passing it to virFileReadLimFD could cause trouble.
1a4d5c95 · Jim Meyering · 32884a7e · 1a4d5c95
隐藏空白更改
内联并排

Showing with 4 addition and 3 deletion

src/qemu/qemu_driver.c src/qemu/qemu_driver.c +4 -3

未找到文件。
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -5117,12 +5117,13 @@ static int qemudDomainRestore(virConnectPtr conn,
        goto cleanup;
    }

-    if (VIR_ALLOC_N(xml, header.xml_len) < 0) {
-        virReportOOMError();
+    if (header.xml_len <= 0) {
+        qemuReportError(VIR_ERR_OPERATION_FAILED,
+                        _("invalid XML length: %d"), header.xml_len);
        goto cleanup;
    }

-    if (saferead(fd, xml, header.xml_len) != header.xml_len) {
+    if (virFileReadLimFD(fd, header.xml_len, &xml) != header.xml_len) {
        qemuReportError(VIR_ERR_OPERATION_FAILED,
                        "%s", _("failed to read XML"));
        goto cleanup;