Tree - rpms/spice - CentOS Git server

Blob History Raw

		ad1357	`From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001`
		ad1357	`From: Frediano Ziglio <fziglio@redhat.com>`
		ad1357	`Date: Fri, 6 Oct 2017 09:38:31 +0100`
		ad1357	`Subject: [spice-server] inputs-channel: Check message size handling migration`
		ad1357	`data`
		ad1357
		ad1357	`Prevent possible buffer reading overflow.`
		ad1357	`Note that message pointer must be valid and data are checked`
		ad1357	`value by value so even on overflow you just get an error.`
		ad1357
		ad1357	`Signed-off-by: Frediano Ziglio <fziglio@redhat.com>`
		ad1357	`Acked-by: Christophe Fergeau <cfergeau@redhat.com>`
		ad1357	`---`
		ad1357	`server/inputs-channel.c \| 5 +++++`
		ad1357	`1 file changed, 5 insertions(+)`
		ad1357
		ad1357	`diff --git a/server/inputs-channel.c b/server/inputs-channel.c`
		ad1357	`index 8e17cc724..11a338a26 100644`
		ad1357	`--- a/server/inputs-channel.c`
		ad1357	`+++ b/server/inputs-channel.c`
		ad1357	`@@ -505,6 +505,11 @@ static bool inputs_channel_handle_migrate_data(RedChannelClient *rcc,`
		ad1357	`SpiceMigrateDataHeader *header;`
		ad1357	`SpiceMigrateDataInputs *mig_data;`
		ad1357
		ad1357	`+ if (size < sizeof(SpiceMigrateDataHeader) + sizeof(SpiceMigrateDataInputs)) {`
		ad1357	`+ spice_warning("bad message size %u", size);`
		ad1357	`+ return FALSE;`
		ad1357	`+ }`
		ad1357	`+`
		ad1357	`header = (SpiceMigrateDataHeader *)message;`
		ad1357	`mig_data = (SpiceMigrateDataInputs *)(header + 1);`
		ad1357