From: John Wolfe <jwolfe@vmware.com>
Date: Mon, 7 Jun 2021 15:25:09 +0000 (-0700)
Subject: Add check that the packet size received is >= expected packet header size.
X-Git-Tag: stable-12.0.0~181
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1751cd1e49edb5d88cb4d5175bdbb7ac5d86054c;p=thirdparty%2Fopen-vm-tools.git

Add check that the packet size received is >= expected packet header size.

DnD RpcV3: A corrupted packet received may result in an out of bounds (OOB)
memory access if the length of the message received is less than the size
of the expected packet header.
---

diff --git a/open-vm-tools/services/plugins/dndcp/dndGuest/rpcV3Util.cpp b/open-vm-tools/services/plugins/dndcp/dndGuest/rpcV3Util.cpp
index f4ed95b4c..89515a79e 100644
--- a/open-vm-tools/services/plugins/dndcp/dndGuest/rpcV3Util.cpp
+++ b/open-vm-tools/services/plugins/dndcp/dndGuest/rpcV3Util.cpp
@@ -1,5 +1,5 @@
 /*********************************************************
- * Copyright (C) 2010-2019 VMware, Inc. All rights reserved.
+ * Copyright (C) 2010-2021 VMware, Inc. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Lesser General Public License as published
@@ -306,7 +306,13 @@ RpcV3Util::OnRecvPacket(uint32 srcId,
 {
    DnDTransportPacketHeader *packetV3 = (DnDTransportPacketHeader *)packet;
    ASSERT(packetV3);
-   if (packetSize <= 0 || packetSize > DND_MAX_TRANSPORT_PACKET_SIZE ||
+   /*
+    * Adding extra check to verify the validity of packetSize,
+    * In case payload is corrupted its causing illegal access exceptions.
+    * bug: 2639178
+    */
+   if (packetSize < sizeof(DnDTransportPacketHeader) ||
+       packetSize > DND_MAX_TRANSPORT_PACKET_SIZE ||
        packetV3->payloadSize > DND_MAX_TRANSPORT_PACKET_PAYLOAD_SIZE ||
        (packetV3->payloadSize + DND_TRANSPORT_PACKET_HEADER_SIZE) != packetSize) {
       goto invalid_packet;