From: Eric Blake <eblake@redhat.com>
Date: Wed, 3 Mar 2010 16:31:02 +0000 (-0700)
Subject: uml: sanity check external data before using it
X-Git-Tag: v0.8.2~88
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=582c75ec459169ebb465701dfea9c128c01bd1fe;p=thirdparty%2Flibvirt.git

uml: sanity check external data before using it

Otherwise, a malicious packet could cause a DoS via spurious
out-of-memory failure.

* src/uml/uml_driver.c (umlMonitorCommand): Validate that incoming
data is reliable before using it to allocate/dereference memory.
Don't report bogus errno on short read.
Reported by Jim Meyering.
---

diff --git a/src/uml/uml_driver.c b/src/uml/uml_driver.c
index 31112115c1..1cbd0bd81c 100644
--- a/src/uml/uml_driver.c
+++ b/src/uml/uml_driver.c
@@ -734,15 +734,15 @@ static int umlMonitorCommand(const struct uml_driver *driver,
         if (nbytes < 0) {
             if (errno == EAGAIN || errno == EINTR)
                 continue;
-            virReportSystemError(errno,
-                                 _("cannot read reply %s"),
-                                 cmd);
+            virReportSystemError(errno, _("cannot read reply %s"), cmd);
             goto error;
         }
         if (nbytes < sizeof res) {
-            virReportSystemError(errno,
-                                 _("incomplete reply %s"),
-                                 cmd);
+            virReportSystemError(0, _("incomplete reply %s"), cmd);
+            goto error;
+        }
+        if (sizeof res.data < res.length) {
+            virReportSystemError(0, _("invalid length in reply %s"), cmd);
             goto error;
         }