uml: fix logic bug in checking reply length

* src/uml/uml_driver.c (umlMonitorCommand): Validate that enough
bytes were read to dereference both res.length, and that many
bytes from res.data.
Reported by Soren Hansen.

diff --git a/src/uml/uml_driver.c b/src/uml/uml_driver.c
index 04493ba999cb66d3ac024fc2ea943991e1780583..4b2e96bff0037ee76378c35c9152d3a10c2ff9cb 100644 (file)
--- a/src/uml/uml_driver.c
+++ b/src/uml/uml_driver.c
@@ -737,14 +737,12 @@ static int umlMonitorCommand(const struct uml_driver *driver,
             virReportSystemError(errno, _("cannot read reply %s"), cmd);
             goto error;
         }
-        if (nbytes < sizeof res) {
+        /* Ensure res.length is safe to read before validating its value.  */
+        if (nbytes < offsetof(struct monitor_request, data) ||
+            nbytes < offsetof(struct monitor_request, data) + res.length) {
             virReportSystemError(0, _("incomplete reply %s"), cmd);
             goto error;
         }
-        if (sizeof res.data < res.length) {
-            virReportSystemError(0, _("invalid length in reply %s"), cmd);
-            goto error;
-        }
 
         if (VIR_REALLOC_N(retdata, retlen + res.length) < 0) {
             virReportOOMError();