[Bug 41988] New: client segfaults if server link message header size is set to 0.

Wed Oct 19 01:51:59 PDT 2011

https://bugs.freedesktop.org/show_bug.cgi?id=41988

             Bug #: 41988
           Summary: client segfaults if server link message header size is
                    set to 0.
    Classification: Unclassified
           Product: Spice
           Version: unspecified
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: gtk-client
        AssignedTo: spice-bugs at lists.freedesktop.org
        ReportedBy: ykaul at redhat.com

In gtk/spice-channel.c, line 978:
c->peer_msg = spice_malloc(c->peer_hdr.size);

However, peer_hdr.size is taken directly from the network, without sanity
check. and c->peer_msg allocation success is not verified. Therefore, sending a
malformed link header would crash the client.

stack:
Program received signal SIGSEGV, Segmentation fault.
0x00007f3625d79f6e in spice_channel_recv_link_msg (channel=0x1856f30) at
spice-channel.c:1436
1436        switch (c->peer_msg->error) {
(gdb) bt
#0  0x00007f3625d79f6e in spice_channel_recv_link_msg (channel=0x1856f30) at
spice-channel.c:1436
#1  spice_channel_iterate_read (channel=0x1856f30) at spice-channel.c:1809
#2  0x00007f3625d783e4 in spice_channel_iterate (channel=0x1856f30) at
spice-channel.c:1859
#3  spice_channel_coroutine (data=0x1856f30) at spice-channel.c:2007

-- 
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.