[Spice-devel] [PATCH spice-server] inputs-channel: Check message size handling migration data

Christophe Fergeau cfergeau at redhat.com
Thu Oct 12 15:01:54 UTC 2017


On Fri, Oct 06, 2017 at 11:58:33AM +0100, Frediano Ziglio wrote:
> Prevent possible buffer reading overflow.
> Note that message pointer must be valid and data are checked
> value by value so even on overflow you just get an error.
> 
> Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
> ---
>  server/inputs-channel.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/server/inputs-channel.c b/server/inputs-channel.c
> index 2de1c7c80..3d43e90ff 100644
> --- a/server/inputs-channel.c
> +++ b/server/inputs-channel.c
> @@ -507,6 +507,11 @@ static bool inputs_channel_handle_migrate_data(RedChannelClient *rcc,
>      SpiceMigrateDataHeader *header;
>      SpiceMigrateDataInputs *mig_data;
>  
> +    if (size < sizeof(SpiceMigrateDataHeader) + sizeof(SpiceMigrateDataInputs)) {
> +        spice_warning("bad message size %u", size);
> +        return FALSE;
> +    }
> +

I would say this is a good candidate for using red_channel_warning()
which I sent a series for ;)
If the header is invalid, spice_error() is used, better to use
spice_error() here too for consistency? (or the opposite).


Acked-by: Christophe Fergeau <cfergeau at redhat.com>

Christophe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/spice-devel/attachments/20171012/d3fba723/attachment.sig>


More information about the Spice-devel mailing list