[Spice-devel] [PATCH spice-server] inputs-channel: Check message size handling migration data
Christophe Fergeau
cfergeau at redhat.com
Thu Oct 12 15:01:54 UTC 2017
On Fri, Oct 06, 2017 at 11:58:33AM +0100, Frediano Ziglio wrote:
> Prevent possible buffer reading overflow.
> Note that message pointer must be valid and data are checked
> value by value so even on overflow you just get an error.
>
> Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
> ---
> server/inputs-channel.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/server/inputs-channel.c b/server/inputs-channel.c
> index 2de1c7c80..3d43e90ff 100644
> --- a/server/inputs-channel.c
> +++ b/server/inputs-channel.c
> @@ -507,6 +507,11 @@ static bool inputs_channel_handle_migrate_data(RedChannelClient *rcc,
> SpiceMigrateDataHeader *header;
> SpiceMigrateDataInputs *mig_data;
>
> + if (size < sizeof(SpiceMigrateDataHeader) + sizeof(SpiceMigrateDataInputs)) {
> + spice_warning("bad message size %u", size);
> + return FALSE;
> + }
> +
I would say this is a good candidate for using red_channel_warning()
which I sent a series for ;)
If the header is invalid, spice_error() is used, better to use
spice_error() here too for consistency? (or the opposite).
Acked-by: Christophe Fergeau <cfergeau at redhat.com>
Christophe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/spice-devel/attachments/20171012/d3fba723/attachment.sig>
More information about the Spice-devel
mailing list