[Spice-devel] [PATCH spice-server] inputs-channel: Check message size handling migration data

Frediano Ziglio Fri, 06 Oct 2017 03:59:50 -0700

Prevent possible buffer reading overflow.
Note that message pointer must be valid and data are checked
value by value so even on overflow you just get an error.


Signed-off-by: Frediano Ziglio <fzig...@redhat.com>
---
 server/inputs-channel.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/server/inputs-channel.c b/server/inputs-channel.c
index 2de1c7c80..3d43e90ff 100644
--- a/server/inputs-channel.c
+++ b/server/inputs-channel.c
@@ -507,6 +507,11 @@ static bool 
inputs_channel_handle_migrate_data(RedChannelClient *rcc,
     SpiceMigrateDataHeader *header;
     SpiceMigrateDataInputs *mig_data;
 
+    if (size < sizeof(SpiceMigrateDataHeader) + 
sizeof(SpiceMigrateDataInputs)) {
+        spice_warning("bad message size %u", size);
+        return FALSE;
+    }
+
     header = (SpiceMigrateDataHeader *)message;
     mig_data = (SpiceMigrateDataInputs *)(header + 1);
 
-- 
2.13.6

_______________________________________________
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/spice-devel

[Spice-devel] [PATCH spice-server] inputs-channel: Check message size handling migration data

Reply via email to