uml: fix logic bug in checking reply length

* src/uml/uml_driver.c (umlMonitorCommand): Validate that enough
bytes were read to dereference both res.length, and that many
bytes from res.data.
Reported by Soren Hansen.

src/uml/uml_driver.c

@@ -737,14 +737,12 @@ static int umlMonitorCommand(const struct uml_driver *driver,
             virReportSystemError(errno, _("cannot read reply %s"), cmd);
             goto error;
         }
-        if (nbytes < sizeof res) {
+        /* Ensure res.length is safe to read before validating its value.  */
+        if (nbytes < offsetof(struct monitor_request, data) ||
+            nbytes < offsetof(struct monitor_request, data) + res.length) {
             virReportSystemError(0, _("incomplete reply %s"), cmd);
             goto error;
         }
-        if (sizeof res.data < res.length) {
-            virReportSystemError(0, _("invalid length in reply %s"), cmd);
-            goto error;
-        }
 
         if (VIR_REALLOC_N(retdata, retlen + res.length) < 0) {
             virReportOOMError();