[Spice-commits] server/inputs-channel.c
Frediano Ziglio
fziglio at kemper.freedesktop.org
Thu Oct 12 15:15:53 UTC 2017
server/inputs-channel.c | 5 +++++
1 file changed, 5 insertions(+)
New commits:
commit 617479413e20bd00525218346ef887aecdd314ba
Author: Frediano Ziglio <fziglio at redhat.com>
Date: Fri Oct 6 09:38:31 2017 +0100
inputs-channel: Check message size handling migration data
Prevent possible buffer reading overflow.
Note that message pointer must be valid and data are checked
value by value so even on overflow you just get an error.
Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
Acked-by: Christophe Fergeau <cfergeau at redhat.com>
diff --git a/server/inputs-channel.c b/server/inputs-channel.c
index 96fd8739..9becb435 100644
--- a/server/inputs-channel.c
+++ b/server/inputs-channel.c
@@ -505,6 +505,11 @@ static bool inputs_channel_handle_migrate_data(RedChannelClient *rcc,
SpiceMigrateDataHeader *header;
SpiceMigrateDataInputs *mig_data;
+ if (size < sizeof(SpiceMigrateDataHeader) + sizeof(SpiceMigrateDataInputs)) {
+ spice_warning("bad message size %u", size);
+ return FALSE;
+ }
+
header = (SpiceMigrateDataHeader *)message;
mig_data = (SpiceMigrateDataInputs *)(header + 1);
More information about the Spice-commits
mailing list