[Spice-commits] vdagent/vdagent.cpp

Fri Jun 29 18:52:27 UTC 2018

vdagent/vdagent.cpp |   54 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)

New commits:
commit 8251fa25ac0c0a9a8055a6eb7299d7d379341b94
Author: Frediano Ziglio <fziglio at redhat.com>
Date:   Wed May 30 14:32:10 2018 +0100

    Minimal message size check
    
    Avoid some possible integer overflows.
    
    Signed-off-by: Frediano Ziglio <fziglio at redhat.com>

diff --git a/vdagent/vdagent.cpp b/vdagent/vdagent.cpp
index 551f326..1e8f27c 100644
--- a/vdagent/vdagent.cpp
+++ b/vdagent/vdagent.cpp
@@ -1231,6 +1231,60 @@ void VDAgent::dispatch_message(VDAgentMessage* msg, uint32_t port)
 {
     bool res = true;
 
+    // check minimal message size
+    int min_size = -1;
+    switch (msg->type) {
+    case VD_AGENT_MOUSE_STATE:
+        min_size = sizeof(VDAgentMouseState);
+        break;
+    case VD_AGENT_MONITORS_CONFIG:
+        min_size = sizeof(VDAgentMonitorsConfig);
+        break;
+    case VD_AGENT_CLIPBOARD:
+        min_size = sizeof(VDAgentClipboard);
+        break;
+    case VD_AGENT_CLIPBOARD_GRAB:
+        min_size = sizeof(VDAgentClipboardGrab);
+        break;
+    case VD_AGENT_CLIPBOARD_REQUEST:
+        min_size = sizeof(VDAgentClipboardRequest);
+        break;
+    case VD_AGENT_CLIPBOARD_RELEASE:
+        min_size = sizeof(VDAgentClipboardRelease);
+        break;
+    case VD_AGENT_DISPLAY_CONFIG:
+        min_size = sizeof(VDAgentDisplayConfig);
+        break;
+    case VD_AGENT_ANNOUNCE_CAPABILITIES:
+        min_size = sizeof(VDAgentAnnounceCapabilities);
+        break;
+    case VD_AGENT_FILE_XFER_START:
+        min_size = sizeof(VDAgentFileXferStatusMessage);
+        break;
+    case VD_AGENT_FILE_XFER_STATUS:
+        min_size = sizeof(VDAgentFileXferStatusMessage);
+        break;
+    case VD_AGENT_FILE_XFER_DATA:
+        min_size = sizeof(VDAgentFileXferDataMessage);
+        break;
+    case VD_AGENT_CLIENT_DISCONNECTED:
+        min_size = 0;
+        break;
+    case VD_AGENT_MAX_CLIPBOARD:
+        min_size = sizeof(VDAgentMaxClipboard);
+        break;
+    }
+    if (min_size < 0) {
+        vd_printf("Unsupported message type %u size %u", msg->type, msg->size);
+        _running = false;
+        return;
+    }
+    if (msg->size < (unsigned) min_size) {
+        vd_printf("Unexpected msg size %u for message type %u", msg->size, msg->type);
+        _running = false;
+        return;
+    }
+
     switch (msg->type) {
     case VD_AGENT_MOUSE_STATE:
         res = handle_mouse_event((VDAgentMouseState*)msg->data);
