rpms / spice

Clone
Source Code
GIT

Blame SOURCES/0087-main-channel-Prevent-overflow-reading-messages-from-.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8s
  1.   88d513b4319e756e5fc71ff7109e21c16ddcd904
  2.   SOURCES
  3.   0087-main-channel-Prevent-overflow-reading-messages-from-.patch
Blob History Raw
88d513 
From c4e3113a8df53ba60c36829c8b2d583c2d5e529d Mon Sep 17 00:00:00 2001
88d513 
From: Frediano Ziglio <fziglio@redhat.com>
88d513 
Date: Tue, 29 Nov 2016 16:46:56 +0000
88d513 
Subject: [PATCH] main-channel: Prevent overflow reading messages from client
88d513
88d513 
Caller is supposed the function return a buffer able to store
88d513 
size bytes.
88d513
88d513 
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
88d513 
---
88d513 
 server/main_channel.c | 3 +++
88d513 
 1 file changed, 3 insertions(+)
88d513
88d513 
diff --git a/server/main_channel.c b/server/main_channel.c
88d513 
index 54718ba..bedff46 100644
88d513 
--- a/server/main_channel.c
88d513 
+++ b/server/main_channel.c
88d513 
@@ -1030,6 +1030,9 @@ static uint8_t *main_channel_alloc_msg_rcv_buf(RedChannelClient *rcc,
88d513
88d513 
     if (type == SPICE_MSGC_MAIN_AGENT_DATA) {
88d513 
         return reds_get_agent_data_buffer(mcc, size);
88d513 
+    } else if (size > sizeof(main_chan->recv_buf)) {
88d513 
+        /* message too large, caller will log a message and close the connection */
88d513 
+        return NULL;
88d513 
     } else {
88d513 
         return main_chan->recv_buf;
88d513 
     }
88d513 
--
88d513 
2.9.3
88d513

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation