Fixed two bugs in QEMU impl of capabilities call

diff --git a/ChangeLog b/ChangeLog
index 8613e6e8161e6efac0ac8f7b199f14c6f387de5d..43b287310ebd767605db8ed55fc0bbb7ca6136d8 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+Thu Mar 15 14:14:20 EST 2007 Daniel P Berrange <berrange@redhat.com>
+
+       * src/qemud_internal.c: Paranoia ensure the XML returned by
+       the getCapabilities call is NULL terminated before strduping
+       to protect from malicious / buggy server
+       * qemud/dispatch.c: Packet length for getCapabilities call
+       should be the size of the reply body, not the size of the
+       XML string.
+
 Thu Mar 15 14:14:20 EST 2007 Daniel P Berrange <berrange@redhat.com>
 
        * src/xen_internal.c: Fix missing NULL initializer

diff --git a/qemud/dispatch.c b/qemud/dispatch.c
index 3c3b43025572987a24032d952a92d7345c4eb0e3..bb6d51a42566e2872e3b2d61a5047cdf469cb91c 100644 (file)
--- a/qemud/dispatch.c
+++ b/qemud/dispatch.c
@@ -269,7 +269,7 @@ qemudDispatchGetCapabilities (struct qemud_server *server,
         return 0;
     }
     out->header.type = QEMUD_PKT_GET_CAPABILITIES;
-    out->header.dataSize = len;
+    out->header.dataSize = sizeof(out->data.getCapabilitiesReply);
     strcpy (out->data.getCapabilitiesReply.xml, xml->content);
     bufferFree (xml);
     return 0;

diff --git a/src/qemu_internal.c b/src/qemu_internal.c
index 6a490441ab13077c3510d663832875558a7f1b56..112a78c9cb3da721b6dedc00f9769580a614e440 100644 (file)
--- a/src/qemu_internal.c
+++ b/src/qemu_internal.c
@@ -468,6 +468,8 @@ qemuGetCapabilities (virConnectPtr conn)
         return NULL;
     }
 
+    reply.data.getCapabilitiesReply.xml[QEMUD_MAX_XML_LEN-1] = '\0';
+
     xml = strdup (reply.data.getCapabilitiesReply.xml);
     if (!xml) {
         qemuError (conn, NULL, VIR_ERR_NO_MEMORY, NULL);