[Spice-devel] [PATCH spice-server] inputs-channel: Check message size handling migration data

Frediano Ziglio fziglio at redhat.com
Fri Oct 6 10:58:33 UTC 2017


Prevent possible buffer reading overflow.
Note that message pointer must be valid and data are checked
value by value so even on overflow you just get an error.

Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
---
 server/inputs-channel.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/server/inputs-channel.c b/server/inputs-channel.c
index 2de1c7c80..3d43e90ff 100644
--- a/server/inputs-channel.c
+++ b/server/inputs-channel.c
@@ -507,6 +507,11 @@ static bool inputs_channel_handle_migrate_data(RedChannelClient *rcc,
     SpiceMigrateDataHeader *header;
     SpiceMigrateDataInputs *mig_data;
 
+    if (size < sizeof(SpiceMigrateDataHeader) + sizeof(SpiceMigrateDataInputs)) {
+        spice_warning("bad message size %u", size);
+        return FALSE;
+    }
+
     header = (SpiceMigrateDataHeader *)message;
     mig_data = (SpiceMigrateDataInputs *)(header + 1);
 
-- 
2.13.6



More information about the Spice-devel mailing list