cryptospore / rpms / qemu-kvm

Forked from rpms/qemu-kvm 2 years ago
Clone

Blame SOURCES/kvm-curl-check-data-size-before-memcpy-to-local-buffer.-.patch

9ae3a8
From e64c6e9054f97e5894d875380d241124d8f0bcc9 Mon Sep 17 00:00:00 2001
9ae3a8
From: Fam Zheng <famz@redhat.com>
9ae3a8
Date: Tue, 25 Mar 2014 14:23:26 +0100
9ae3a8
Subject: [PATCH 19/49] curl: check data size before memcpy to local buffer. (CVE-2014-0144)
9ae3a8
9ae3a8
RH-Author: Kevin Wolf <kwolf@redhat.com>
9ae3a8
Message-id: <1395753835-7591-20-git-send-email-kwolf@redhat.com>
9ae3a8
Patchwork-id: n/a
9ae3a8
O-Subject: [virt-devel] [EMBARGOED RHEL-7.0 qemu-kvm PATCH 19/48] curl: check data size before memcpy to local buffer. (CVE-2014-0144)
9ae3a8
Bugzilla: 1079455
9ae3a8
RH-Acked-by: Jeff Cody <jcody@redhat.com>
9ae3a8
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
9ae3a8
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
9ae3a8
9ae3a8
From: Fam Zheng <famz@redhat.com>
9ae3a8
9ae3a8
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1079455
9ae3a8
Upstream status: Embargoed
9ae3a8
9ae3a8
curl_read_cb is callback function for libcurl when data arrives. The
9ae3a8
data size passed in here is not guaranteed to be within the range of
9ae3a8
request we submitted, so we may overflow the guest IO buffer. Check the
9ae3a8
real size we have before memcpy to buffer to avoid overflow.
9ae3a8
9ae3a8
Signed-off-by: Fam Zheng <famz@redhat.com>
9ae3a8
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
9ae3a8
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
9ae3a8
---
9ae3a8
 block/curl.c |    5 +++++
9ae3a8
 1 files changed, 5 insertions(+), 0 deletions(-)
9ae3a8
9ae3a8
diff --git a/block/curl.c b/block/curl.c
9ae3a8
index 1b0fcf1..b3d948e 100644
9ae3a8
--- a/block/curl.c
9ae3a8
+++ b/block/curl.c
9ae3a8
@@ -134,6 +134,11 @@ static size_t curl_read_cb(void *ptr, size_t size, size_t nmemb, void *opaque)
9ae3a8
     if (!s || !s->orig_buf)
9ae3a8
         goto read_end;
9ae3a8
 
9ae3a8
+    if (s->buf_off >= s->buf_len) {
9ae3a8
+        /* buffer full, read nothing */
9ae3a8
+        return 0;
9ae3a8
+    }
9ae3a8
+    realsize = MIN(realsize, s->buf_len - s->buf_off);
9ae3a8
     memcpy(s->orig_buf + s->buf_off, ptr, realsize);
9ae3a8
     s->buf_off += realsize;
9ae3a8
 
9ae3a8
-- 
9ae3a8
1.7.1
9ae3a8