提交 ba918ac1 编写于 作者: J Jim Meyering

xen: don't let bogus packets trigger over-allocation and segfault

* src/xen/proxy_internal.c (xenProxyDomainDumpXML): An invalid packet
could include a too-large "ans.len" value, which would make us allocate
too much memory and then copy data from beyond the end of "ans",
possibly evoking a segfault.  Ensure that the value we use is no
larger than the remaining portion of "ans".
Also, change unnecessary memmove to memcpy (src and dest obviously
do not overlap, so no need to use memmove).
(xenProxyDomainGetOSType): Likewise.
(xenProxyGetCapabilities): Likewise.
上级 4697def6
...@@ -932,7 +932,8 @@ xenProxyGetCapabilities (virConnectPtr conn) ...@@ -932,7 +932,8 @@ xenProxyGetCapabilities (virConnectPtr conn)
} }
if (ans.data.arg == -1) if (ans.data.arg == -1)
return NULL; return NULL;
if (ans.len <= sizeof(virProxyPacket)) { if (ans.len <= sizeof(virProxyPacket)
|| ans.len > sizeof (ans) - sizeof(virProxyPacket)) {
virProxyError(conn, VIR_ERR_OPERATION_FAILED, __FUNCTION__); virProxyError(conn, VIR_ERR_OPERATION_FAILED, __FUNCTION__);
return NULL; return NULL;
} }
...@@ -942,7 +943,7 @@ xenProxyGetCapabilities (virConnectPtr conn) ...@@ -942,7 +943,7 @@ xenProxyGetCapabilities (virConnectPtr conn)
virReportOOMError(); virReportOOMError();
return NULL; return NULL;
} }
memmove (xml, ans.extra.str, xmllen); memcpy (xml, ans.extra.str, xmllen);
xml[xmllen] = '\0'; xml[xmllen] = '\0';
return xml; return xml;
...@@ -983,7 +984,8 @@ xenProxyDomainDumpXML(virDomainPtr domain, int flags ATTRIBUTE_UNUSED) ...@@ -983,7 +984,8 @@ xenProxyDomainDumpXML(virDomainPtr domain, int flags ATTRIBUTE_UNUSED)
if (ret < 0) { if (ret < 0) {
return(NULL); return(NULL);
} }
if (ans.len <= sizeof(virProxyPacket)) { if (ans.len <= sizeof(virProxyPacket)
|| ans.len > sizeof (ans) - sizeof(virProxyPacket)) {
virProxyError(domain->conn, VIR_ERR_OPERATION_FAILED, __FUNCTION__); virProxyError(domain->conn, VIR_ERR_OPERATION_FAILED, __FUNCTION__);
return (NULL); return (NULL);
} }
...@@ -992,7 +994,7 @@ xenProxyDomainDumpXML(virDomainPtr domain, int flags ATTRIBUTE_UNUSED) ...@@ -992,7 +994,7 @@ xenProxyDomainDumpXML(virDomainPtr domain, int flags ATTRIBUTE_UNUSED)
virReportOOMError(); virReportOOMError();
return NULL; return NULL;
} }
memmove(xml, &ans.extra.dinfo, xmllen); memcpy(xml, &ans.extra.dinfo, xmllen);
xml[xmllen] = '\0'; xml[xmllen] = '\0';
return(xml); return(xml);
...@@ -1038,7 +1040,8 @@ xenProxyDomainGetOSType(virDomainPtr domain) ...@@ -1038,7 +1040,8 @@ xenProxyDomainGetOSType(virDomainPtr domain)
return(NULL); return(NULL);
} }
if (ans.len <= sizeof(virProxyPacket)) { if (ans.len <= sizeof(virProxyPacket)
|| ans.len > sizeof (ans) - sizeof(virProxyPacket)) {
virProxyError(domain->conn, VIR_ERR_OPERATION_FAILED, __FUNCTION__); virProxyError(domain->conn, VIR_ERR_OPERATION_FAILED, __FUNCTION__);
return (NULL); return (NULL);
} }
...@@ -1047,7 +1050,7 @@ xenProxyDomainGetOSType(virDomainPtr domain) ...@@ -1047,7 +1050,7 @@ xenProxyDomainGetOSType(virDomainPtr domain)
virReportOOMError(); virReportOOMError();
return NULL; return NULL;
} }
memmove(ostype, &ans.extra.dinfo, oslen); memcpy(ostype, &ans.extra.dinfo, oslen);
ostype[oslen] = '\0'; ostype[oslen] = '\0';
return(ostype); return(ostype);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册