From e64c6e9054f97e5894d875380d241124d8f0bcc9 Mon Sep 17 00:00:00 2001

From: Fam Zheng <famz@redhat.com>

Date: Tue, 25 Mar 2014 14:23:26 +0100

Subject: [PATCH 19/49] curl: check data size before memcpy to local buffer. (CVE-2014-0144)

RH-Author: Kevin Wolf <kwolf@redhat.com>

Message-id: <1395753835-7591-20-git-send-email-kwolf@redhat.com>

Patchwork-id: n/a

O-Subject: [virt-devel] [EMBARGOED RHEL-7.0 qemu-kvm PATCH 19/48] curl: check data size before memcpy to local buffer. (CVE-2014-0144)

Bugzilla: 1079455

RH-Acked-by: Jeff Cody <jcody@redhat.com>

RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>

RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>

From: Fam Zheng <famz@redhat.com>

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1079455

Upstream status: Embargoed

curl_read_cb is callback function for libcurl when data arrives. The

data size passed in here is not guaranteed to be within the range of

request we submitted, so we may overflow the guest IO buffer. Check the

real size we have before memcpy to buffer to avoid overflow.

Signed-off-by: Fam Zheng <famz@redhat.com>

Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>

Signed-off-by: Kevin Wolf <kwolf@redhat.com>

---

 block/curl.c |    5 +++++

 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/block/curl.c b/block/curl.c

index 1b0fcf1..b3d948e 100644

--- a/block/curl.c

+++ b/block/curl.c

@@ -134,6 +134,11 @@ static size_t curl_read_cb(void *ptr, size_t size, size_t nmemb, void *opaque)

     if (!s || !s->orig_buf)

         goto read_end;

+    if (s->buf_off >= s->buf_len) {

+        /* buffer full, read nothing */

+        return 0;

+    }

+    realsize = MIN(realsize, s->buf_len - s->buf_off);

     memcpy(s->orig_buf + s->buf_off, ptr, realsize);

     s->buf_off += realsize;

-- 

1.7.1