From ba918ac1b4159aedb0c209202de35390a1e9e0b9 Mon Sep 17 00:00:00 2001 From: Jim Meyering Date: Wed, 3 Mar 2010 16:50:02 +0100 Subject: [PATCH] xen: don't let bogus packets trigger over-allocation and segfault * src/xen/proxy_internal.c (xenProxyDomainDumpXML): An invalid packet could include a too-large "ans.len" value, which would make us allocate too much memory and then copy data from beyond the end of "ans", possibly evoking a segfault. Ensure that the value we use is no larger than the remaining portion of "ans". Also, change unnecessary memmove to memcpy (src and dest obviously do not overlap, so no need to use memmove). (xenProxyDomainGetOSType): Likewise. (xenProxyGetCapabilities): Likewise. --- src/xen/proxy_internal.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/src/xen/proxy_internal.c b/src/xen/proxy_internal.c index 8e1c226202..be79d56955 100644 --- a/src/xen/proxy_internal.c +++ b/src/xen/proxy_internal.c @@ -932,7 +932,8 @@ xenProxyGetCapabilities (virConnectPtr conn) } if (ans.data.arg == -1) return NULL; - if (ans.len <= sizeof(virProxyPacket)) { + if (ans.len <= sizeof(virProxyPacket) + || ans.len > sizeof (ans) - sizeof(virProxyPacket)) { virProxyError(conn, VIR_ERR_OPERATION_FAILED, __FUNCTION__); return NULL; } @@ -942,7 +943,7 @@ xenProxyGetCapabilities (virConnectPtr conn) virReportOOMError(); return NULL; } - memmove (xml, ans.extra.str, xmllen); + memcpy (xml, ans.extra.str, xmllen); xml[xmllen] = '\0'; return xml; @@ -983,7 +984,8 @@ xenProxyDomainDumpXML(virDomainPtr domain, int flags ATTRIBUTE_UNUSED) if (ret < 0) { return(NULL); } - if (ans.len <= sizeof(virProxyPacket)) { + if (ans.len <= sizeof(virProxyPacket) + || ans.len > sizeof (ans) - sizeof(virProxyPacket)) { virProxyError(domain->conn, VIR_ERR_OPERATION_FAILED, __FUNCTION__); return (NULL); } @@ -992,7 +994,7 @@ xenProxyDomainDumpXML(virDomainPtr domain, int flags ATTRIBUTE_UNUSED) virReportOOMError(); return NULL; } - memmove(xml, &ans.extra.dinfo, xmllen); + memcpy(xml, &ans.extra.dinfo, xmllen); xml[xmllen] = '\0'; return(xml); @@ -1038,7 +1040,8 @@ xenProxyDomainGetOSType(virDomainPtr domain) return(NULL); } - if (ans.len <= sizeof(virProxyPacket)) { + if (ans.len <= sizeof(virProxyPacket) + || ans.len > sizeof (ans) - sizeof(virProxyPacket)) { virProxyError(domain->conn, VIR_ERR_OPERATION_FAILED, __FUNCTION__); return (NULL); } @@ -1047,7 +1050,7 @@ xenProxyDomainGetOSType(virDomainPtr domain) virReportOOMError(); return NULL; } - memmove(ostype, &ans.extra.dinfo, oslen); + memcpy(ostype, &ans.extra.dinfo, oslen); ostype[oslen] = '\0'; return(ostype); -- GitLab