rpms / spice

Clone
Source Code
GIT

Blame SOURCES/0001-inputs-channel-Check-message-size-handling-migration.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8s
  1.   c7-beta
  2.   SOURCES
  3.   0001-inputs-channel-Check-message-size-handling-migration.patch
Blob History Raw
7bbc9c 
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
7bbc9c 
From: Frediano Ziglio <fziglio@redhat.com>
7bbc9c 
Date: Fri, 6 Oct 2017 09:38:31 +0100
7bbc9c 
Subject: [spice-server] inputs-channel: Check message size handling migration
7bbc9c 
 data
7bbc9c
7bbc9c 
Prevent possible buffer reading overflow.
7bbc9c 
Note that message pointer must be valid and data are checked
7bbc9c 
value by value so even on overflow you just get an error.
7bbc9c
7bbc9c 
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
7bbc9c 
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
7bbc9c 
---
7bbc9c 
 server/inputs-channel.c | 5 +++++
7bbc9c 
 1 file changed, 5 insertions(+)
7bbc9c
7bbc9c 
diff --git a/server/inputs-channel.c b/server/inputs-channel.c
7bbc9c 
index 8e17cc724..11a338a26 100644
7bbc9c 
--- a/server/inputs-channel.c
7bbc9c 
+++ b/server/inputs-channel.c
7bbc9c 
@@ -505,6 +505,11 @@ static bool inputs_channel_handle_migrate_data(RedChannelClient *rcc,
7bbc9c 
     SpiceMigrateDataHeader *header;
7bbc9c 
     SpiceMigrateDataInputs *mig_data;
7bbc9c
7bbc9c 
+    if (size < sizeof(SpiceMigrateDataHeader) + sizeof(SpiceMigrateDataInputs)) {
7bbc9c 
+        spice_warning("bad message size %u", size);
7bbc9c 
+        return FALSE;
7bbc9c 
+    }
7bbc9c 
+
7bbc9c 
     header = (SpiceMigrateDataHeader *)message;
7bbc9c 
     mig_data = (SpiceMigrateDataInputs *)(header + 1);
7bbc9c

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation