From: Jim Meyering <meyering@redhat.com>
Date: Wed, 3 Mar 2010 10:27:16 +0000 (+0100)
Subject: qemu restore: don't let corrupt input provoke unwarranted OOM
X-Git-Tag: v0.8.0~342
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1a4d5c9543641c444dccd682f6256ee3faf22a80;p=thirdparty%2Flibvirt.git

qemu restore: don't let corrupt input provoke unwarranted OOM

* src/qemu/qemu_driver.c (qemudDomainRestore): A corrupt save file
(in particular, a too-large header.xml_len value) would cause an
unwarranted out-of-memory error.  Do not trust the just-read
header.xml_len.  Instead, merely use that as a hint, and
read/allocate up to that number of bytes from the file.
Also verify that header.xml_len is positive; if it were negative,
passing it to virFileReadLimFD could cause trouble.
---

diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 4707f721fe..c6991b50eb 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -5117,12 +5117,13 @@ static int qemudDomainRestore(virConnectPtr conn,
         goto cleanup;
     }
 
-    if (VIR_ALLOC_N(xml, header.xml_len) < 0) {
-        virReportOOMError();
+    if (header.xml_len <= 0) {
+        qemuReportError(VIR_ERR_OPERATION_FAILED,
+                        _("invalid XML length: %d"), header.xml_len);
         goto cleanup;
     }
 
-    if (saferead(fd, xml, header.xml_len) != header.xml_len) {
+    if (virFileReadLimFD(fd, header.xml_len, &xml) != header.xml_len) {
         qemuReportError(VIR_ERR_OPERATION_FAILED,
                         "%s", _("failed to read XML"));
         goto cleanup;