|
 |
542743 |
From 9b98e01c8f5d0dc8faaf3af7b8fc95768e1ff0ad Mon Sep 17 00:00:00 2001
|
|
|
542743 |
From: Frediano Ziglio <freddy77@gmail.com>
|
|
|
542743 |
Date: Wed, 16 Sep 2020 15:50:33 +0100
|
|
|
542743 |
Subject: [PATCH 31/31] channel-main: Handle not terminated host_data and
|
|
|
542743 |
cert_subject_data fields
|
|
|
542743 |
|
|
|
542743 |
host_data and cert_subject_data fields from SPICE messages could be
|
|
|
542743 |
not NUL terminated so using g_strdup can lead to some read overflow.
|
|
|
542743 |
|
|
|
542743 |
This bug was discovered by Uri Lublin.
|
|
|
542743 |
|
|
|
542743 |
Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
|
|
|
542743 |
Acked-by: Uri Lublin <uril@redhat.com>
|
|
|
542743 |
---
|
|
|
542743 |
src/channel-main.c | 5 +++--
|
|
|
542743 |
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
542743 |
|
|
|
542743 |
diff --git a/src/channel-main.c b/src/channel-main.c
|
|
|
542743 |
index 2881d59..5fefded 100644
|
|
|
542743 |
--- a/src/channel-main.c
|
|
|
542743 |
+++ b/src/channel-main.c
|
|
|
542743 |
@@ -2460,10 +2460,11 @@ static void main_migrate_connect(SpiceChannel *channel,
|
|
|
542743 |
mig->src_channel = channel;
|
|
|
542743 |
mig->info = *dst_info;
|
|
|
542743 |
if (dst_info->host_data) {
|
|
|
542743 |
- mig->info.host_data = (void *) g_strdup((char*) dst_info->host_data);
|
|
|
542743 |
+ mig->info.host_data = (void *) g_strndup((char*) dst_info->host_data, dst_info->host_size);
|
|
|
542743 |
}
|
|
|
542743 |
if (dst_info->cert_subject_data) {
|
|
|
542743 |
- mig->info.cert_subject_data = (void *) g_strdup((char*) dst_info->cert_subject_data);
|
|
|
542743 |
+ mig->info.cert_subject_data = (void *) g_strndup((char*) dst_info->cert_subject_data,
|
|
|
542743 |
+ dst_info->cert_subject_size);
|
|
|
542743 |
}
|
|
|
542743 |
mig->from = coroutine_self();
|
|
|
542743 |
mig->do_seamless = do_seamless;
|
|
|
542743 |
--
|
|
|
542743 |
2.28.0
|
|
|
542743 |
|