On Thu, Oct 15, 2020 at 02:04:59PM -0400, Jagannathan Raman wrote:
> +void mpqemu_msg_recv(MPQemuMsg *msg, QIOChannel *ioc, Error **errp)
> +{
> + Error *local_err = NULL;
> + int *fds = NULL;
> + size_t nfds = 0;
> + ssize_t len;
> +
> + len = mpqemu_read(ioc, (void *)msg, MPQEMU_MSG_HDR_SIZE, &fds, &nfds,
> + &local_err);
> + if (!local_err) {
> + if (len == -EIO) {
> + error_setg(&local_err, "Connection closed.");
> + goto fail;
> + }
> + if (len < 0) {
> + error_setg(&local_err, "Message length is less than 0");
> + goto fail;
> + }
> + if (len != MPQEMU_MSG_HDR_SIZE) {
> + error_setg(&local_err, "Message header corrupted");
> + goto fail;
> + }
> + } else {
> + goto fail;
> + }
> +
> + if (msg->size > sizeof(msg->data)) {
> + error_setg(&local_err, "Invalid size for message");
> + goto fail;
> + }
> +
> + if (mpqemu_read(ioc, (void *)&msg->data, msg->size, NULL, NULL,
> + &local_err) < 0) {
> + goto fail;
> + }
> +
> + msg->num_fds = nfds;
> + if (nfds) {
> + memcpy(msg->fds, fds, nfds * sizeof(int));I can't find anything that limits nfds to REMOTE_MAX_FDS. This looks like a buffer overflow.
signature.asc
Description: PGP signature
