From: VMware, Inc <>
Date: Thu, 22 Dec 2011 00:32:42 +0000 (-0800)
Subject: Fix a security issue in HGFS server.
X-Git-Tag: 2011.12.20-562307~28
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=577b7eb2dfc1939846ec97d8451f152ee456cd63;p=thirdparty%2Fopen-vm-tools.git

Fix a security issue in HGFS server.

When a packet is received by the HGFS server, all sanity tests related to
the header size and packet sizes should be done first before doing any
other tests. Moved the header and packet size checks to the beginning of
the validation process.

Signed-off-by: Marcelo Vanzin <mvanzin@vmware.com>
---

diff --git a/open-vm-tools/lib/hgfsServer/hgfsServerParameters.c b/open-vm-tools/lib/hgfsServer/hgfsServerParameters.c
index b5faa16b1..546732afd 100644
--- a/open-vm-tools/lib/hgfsServer/hgfsServerParameters.c
+++ b/open-vm-tools/lib/hgfsServer/hgfsServerParameters.c
@@ -331,20 +331,24 @@ HgfsParseRequest(HgfsPacket *packet,         // IN: request packet
       HgfsHeader *header = (HgfsHeader *)request;
       localInput->v4header = TRUE;
       localInput->id = header->requestId;
+      localInput->op = header->op;
 
       if (packetSize >= offsetof(HgfsHeader, sessionId) + sizeof header->sessionId) {
-         if (header->op != HGFS_OP_CREATE_SESSION_V4) {
+         if (packetSize < header->packetSize ||
+            header->packetSize < header->headerSize) {
+            LOG(4, ("%s: Malformed HGFS packet received - inconsistent header"
+               " and packet sizes!\n", __FUNCTION__));
+            result = HGFS_ERROR_PROTOCOL;
+         }
+
+         if ((HGFS_ERROR_SUCCESS == result) &&
+             (header->op != HGFS_OP_CREATE_SESSION_V4)) {
             session = HgfsServerTransportGetSessionInfo(transportSession,
                                                         header->sessionId);
             if (!session || session->state != HGFS_SESSION_STATE_OPEN) {
                LOG(4, ("%s: HGFS packet with invalid session id!\n", __FUNCTION__));
                result = HGFS_ERROR_STALE_SESSION;
             }
-         } else if (packetSize < header->packetSize ||
-            header->packetSize < header->headerSize) {
-            LOG(4, ("%s: Malformed HGFS packet received - inconsistent header"
-               " and packet sizes!\n", __FUNCTION__));
-            result = HGFS_ERROR_PROTOCOL;
          }
       } else {
          LOG(4, ("%s: Malformed HGFS packet received - header is too small!\n",
@@ -353,7 +357,6 @@ HgfsParseRequest(HgfsPacket *packet,         // IN: request packet
       }
 
       if (HGFS_ERROR_SUCCESS == result) { // Passed all tests
-         localInput->op = header->op;
          localInput->payload = (char *)request + header->headerSize;
          localInput->payloadSize = header->packetSize - header->headerSize;
       }