[Spice-devel] [PATCH spice-gtk 1/2] spice-channel: Check minumum size of peer_msg
Frediano Ziglio
fziglio at redhat.com
Thu Nov 29 07:51:54 UTC 2018
Other parts of the code assume peer_msg contains at least a fixed
structure so make sure server is sending enough data.
Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
---
src/spice-channel.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/spice-channel.c b/src/spice-channel.c
index c61bcbab..7e5b2e7f 100644
--- a/src/spice-channel.c
+++ b/src/spice-channel.c
@@ -1400,6 +1400,11 @@ static gboolean spice_channel_recv_link_hdr(SpiceChannel *channel)
c->peer_hdr.minor_version = GUINT32_FROM_LE(c->peer_hdr.minor_version);
c->peer_hdr.size = GUINT32_FROM_LE(c->peer_hdr.size);
+ if (c->peer_hdr.size < sizeof(*c->peer_msg)) {
+ g_warning("invalid peer header size: %u", c->peer_hdr.size);
+ goto error;
+ }
+
c->peer_msg = g_malloc0(c->peer_hdr.size);
if (c->peer_msg == NULL) {
g_warning("invalid peer header size: %u", c->peer_hdr.size);
--
2.17.2
More information about the Spice-devel
mailing list