Blame SOURCES/kvm-curl-check-data-size-before-memcpy-to-local-buffer.-.patch

0a122b
From e64c6e9054f97e5894d875380d241124d8f0bcc9 Mon Sep 17 00:00:00 2001
0a122b
From: Fam Zheng <famz@redhat.com>
0a122b
Date: Tue, 25 Mar 2014 14:23:26 +0100
0a122b
Subject: [PATCH 19/49] curl: check data size before memcpy to local buffer. (CVE-2014-0144)
0a122b
0a122b
RH-Author: Kevin Wolf <kwolf@redhat.com>
0a122b
Message-id: <1395753835-7591-20-git-send-email-kwolf@redhat.com>
0a122b
Patchwork-id: n/a
0a122b
O-Subject: [virt-devel] [EMBARGOED RHEL-7.0 qemu-kvm PATCH 19/48] curl: check data size before memcpy to local buffer. (CVE-2014-0144)
0a122b
Bugzilla: 1079455
0a122b
RH-Acked-by: Jeff Cody <jcody@redhat.com>
0a122b
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
0a122b
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
0a122b
0a122b
From: Fam Zheng <famz@redhat.com>
0a122b
0a122b
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1079455
0a122b
Upstream status: Embargoed
0a122b
0a122b
curl_read_cb is callback function for libcurl when data arrives. The
0a122b
data size passed in here is not guaranteed to be within the range of
0a122b
request we submitted, so we may overflow the guest IO buffer. Check the
0a122b
real size we have before memcpy to buffer to avoid overflow.
0a122b
0a122b
Signed-off-by: Fam Zheng <famz@redhat.com>
0a122b
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
0a122b
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
0a122b
---
0a122b
 block/curl.c |    5 +++++
0a122b
 1 files changed, 5 insertions(+), 0 deletions(-)
0a122b
0a122b
diff --git a/block/curl.c b/block/curl.c
0a122b
index 1b0fcf1..b3d948e 100644
0a122b
--- a/block/curl.c
0a122b
+++ b/block/curl.c
0a122b
@@ -134,6 +134,11 @@ static size_t curl_read_cb(void *ptr, size_t size, size_t nmemb, void *opaque)
0a122b
     if (!s || !s->orig_buf)
0a122b
         goto read_end;
0a122b
 
0a122b
+    if (s->buf_off >= s->buf_len) {
0a122b
+        /* buffer full, read nothing */
0a122b
+        return 0;
0a122b
+    }
0a122b
+    realsize = MIN(realsize, s->buf_len - s->buf_off);
0a122b
     memcpy(s->orig_buf + s->buf_off, ptr, realsize);
0a122b
     s->buf_off += realsize;
0a122b
 
0a122b
-- 
0a122b
1.7.1
0a122b