uml: sanity check external data before using it

Otherwise, a malicious packet could cause a DoS via spurious out-of-memory failure. * src/uml/uml_driver.c (umlMonitorCommand): Validate that incoming data is reliable before using it to allocate/dereference memory. Don't report bogus errno on short read. Reported by Jim Meyering.

uml: sanity check external data before using it
Otherwise, a malicious packet could cause a DoS via spurious out-of-memory failure. * src/uml/uml_driver.c (umlMonitorCommand): Validate that incoming data is reliable before using it to allocate/dereference memory. Don't report bogus errno on short read. Reported by Jim Meyering.
582c75ec · Eric Blake · d0dabc2b · 582c75ec
隐藏空白更改
内联并排

Showing with 6 addition and 6 deletion

src/uml/uml_driver.c src/uml/uml_driver.c +6 -6

未找到文件。
--- a/src/uml/uml_driver.c
+++ b/src/uml/uml_driver.c
@@ -734,15 +734,15 @@ static int umlMonitorCommand(const struct uml_driver *driver,
        if (nbytes < 0) {
            if (errno == EAGAIN || errno == EINTR)
                continue;
-            virReportSystemError(errno,
-                                 _("cannot read reply %s"),
-                                 cmd);
+            virReportSystemError(errno, _("cannot read reply %s"), cmd);
            goto error;
        }
        if (nbytes < sizeof res) {
-            virReportSystemError(errno,
-                                 _("incomplete reply %s"),
-                                 cmd);
+            virReportSystemError(0, _("incomplete reply %s"), cmd);
+            goto error;
+        }
+        if (sizeof res.data < res.length) {
+            virReportSystemError(0, _("invalid length in reply %s"), cmd);
            goto error;
        }