From: Rachid Koucha <47061324+Rachid-Koucha@users.noreply.github.com>
Date: Sat, 26 Jan 2019 23:10:39 +0000 (+0100)
Subject: Avoid risk of "too far memory read"
X-Git-Tag: lxc-3.2.0~181^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=71fc9c046816b2bae564481741658defafc01b62;p=thirdparty%2Flxc.git

Avoid risk of "too far memory read"

As we call "lxc_add_state_client(fd, handler, (lxc_state_t *)req->data)"
which supposes that the last parameter is a table of MAX_STATE
entries when calling memcpy():
memcpy(newclient->states, states, sizeof(newclient->states))

Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>
---

diff --git a/src/lxc/commands.c b/src/lxc/commands.c
index 392fdab2c..5f2e25b6d 100644
--- a/src/lxc/commands.c
+++ b/src/lxc/commands.c
@@ -896,7 +896,7 @@ static int lxc_cmd_add_state_client_callback(int fd, struct lxc_cmd_req *req,
 	if (req->datalen < 0)
 		goto reap_client_fd;
 
-	if (req->datalen > (sizeof(lxc_state_t) * MAX_STATE))
+	if (req->datalen != (sizeof(lxc_state_t) * MAX_STATE))
 		goto reap_client_fd;
 
 	if (!req->data)