[Spice-commits] server/inputs-channel.c

Thu Oct 12 15:15:53 UTC 2017

server/inputs-channel.c |    5 +++++
 1 file changed, 5 insertions(+)

New commits:
commit 617479413e20bd00525218346ef887aecdd314ba
Author: Frediano Ziglio <fziglio at redhat.com>
Date:   Fri Oct 6 09:38:31 2017 +0100

    inputs-channel: Check message size handling migration data
    
    Prevent possible buffer reading overflow.
    Note that message pointer must be valid and data are checked
    value by value so even on overflow you just get an error.
    
    Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
    Acked-by: Christophe Fergeau <cfergeau at redhat.com>

diff --git a/server/inputs-channel.c b/server/inputs-channel.c
index 96fd8739..9becb435 100644
--- a/server/inputs-channel.c
+++ b/server/inputs-channel.c
@@ -505,6 +505,11 @@ static bool inputs_channel_handle_migrate_data(RedChannelClient *rcc,
     SpiceMigrateDataHeader *header;
     SpiceMigrateDataInputs *mig_data;
 
+    if (size < sizeof(SpiceMigrateDataHeader) + sizeof(SpiceMigrateDataInputs)) {
+        spice_warning("bad message size %u", size);
+        return FALSE;
+    }
+
     header = (SpiceMigrateDataHeader *)message;
     mig_data = (SpiceMigrateDataInputs *)(header + 1);
 
