[Spice-devel] [PATCH spice-server 7/7] red_worker.c: fix memory corruption when data from client is bigger than 1024 bytes
Hans de Goede
hdegoede at redhat.com
Thu Nov 22 02:08:37 PST 2012
Hi,
Looks good, ACK.
Regards,
Hans
On 11/21/2012 08:42 PM, Yonit Halperin wrote:
> Previously, there was no check for the size of the message received from
> the client, and all messages were read into a buffer of size 1024.
> However, migration data can be bigger than 1024. In such cases, memory
> corruption occurred.
> ---
> server/red_worker.c | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
> diff --git a/server/red_worker.c b/server/red_worker.c
> index d27aa7e..54cad53 100644
> --- a/server/red_worker.c
> +++ b/server/red_worker.c
> @@ -1597,12 +1597,24 @@ static uint8_t *common_alloc_recv_buf(RedChannelClient *rcc, uint16_t type, uint
> {
> CommonChannel *common = SPICE_CONTAINEROF(rcc->channel, CommonChannel, base);
>
> + /* SPICE_MSGC_MIGRATE_DATA is the only client message whose size is dynamic */
> + if (type == SPICE_MSGC_MIGRATE_DATA) {
> + return spice_malloc(size);
> + }
> +
> + if (size > RECIVE_BUF_SIZE) {
> + spice_critical("unexpected message size %u (max is %d)", size, RECIVE_BUF_SIZE);
> + return NULL;
> + }
> return common->recv_buf;
> }
>
> static void common_release_recv_buf(RedChannelClient *rcc, uint16_t type, uint32_t size,
> uint8_t* msg)
> {
> + if (type == SPICE_MSGC_MIGRATE_DATA) {
> + free(msg);
> + }
> }
>
> #define CLIENT_PIXMAPS_CACHE
>
More information about the Spice-devel
mailing list