curl: check data size before memcpy to local buffer. (CVE-2014-0144)

curl_read_cb is callback function for libcurl when data arrives. The data size passed in here is not guaranteed to be within the range of request we submitted, so we may overflow the guest IO buffer. Check the real size we have before memcpy to buffer to avoid overflow. Signed-off-by: N Fam Zheng <famz@redhat.com> Reviewed-by: N Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: N Kevin Wolf <kwolf@redhat.com> Reviewed-by: N Max Reitz <mreitz@redhat.com> Signed-off-by: N Stefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit 6d4b9e55) Signed-off-by: N Michael Roth <mdroth@linux.vnet.ibm.com>

curl: check data size before memcpy to local buffer. (CVE-2014-0144)
curl_read_cb is callback function for libcurl when data arrives. The data size passed in here is not guaranteed to be within the range of request we submitted, so we may overflow the guest IO buffer. Check the real size we have before memcpy to buffer to avoid overflow. Signed-off-by: N Fam Zheng <famz@redhat.com> Reviewed-by: N Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: N Kevin Wolf <kwolf@redhat.com> Reviewed-by: N Max Reitz <mreitz@redhat.com> Signed-off-by: N Stefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit 6d4b9e55) Signed-off-by: N Michael Roth <mdroth@linux.vnet.ibm.com>
4854971a · Fam Zheng · Michael Roth · 1786c422 · 4854971a
隐藏空白更改
内联并排

Showing with 5 addition and 0 deletion

block/curl.c block/curl.c +5 -0

未找到文件。
--- a/block/curl.c
+++ b/block/curl.c
@@ -157,6 +157,11 @@ static size_t curl_read_cb(void *ptr, size_t size, size_t nmemb, void *opaque)
    if (!s || !s->orig_buf)
        goto read_end;

+    if (s->buf_off >= s->buf_len) {
+        /* buffer full, read nothing */
+        return 0;
+    }
+    realsize = MIN(realsize, s->buf_len - s->buf_off);
    memcpy(s->orig_buf + s->buf_off, ptr, realsize);
    s->buf_off += realsize;