[libvirt] [PATCH] proxy: Fix use of uninitalized memory
Rasputin
rasputin at email.ru
Tue Jan 27 18:33:12 UTC 2009
On short read, members of packet header are checked before actually read.
If uninitialized values can pass the test, they can be set to arbitrary
values while reading remaining portion of a packet.
Buffer overflow is possible. libvirt_proxy is suid-root.
diff -urp libvirt-0.5.1/proxy/libvirt_proxy.c libvirt-dev/proxy/libvirt_proxy.c
--- libvirt-0.5.1/proxy/libvirt_proxy.c 2008-11-20 08:58:43.000000000 +0100
+++ libvirt-dev/proxy/libvirt_proxy.c 2009-01-25 12:51:33.000000000 +0100
@@ -385,7 +385,8 @@ retry:
fprintf(stderr, "read %d bytes from client %d on socket %d\n",
ret, nr, pollInfos[nr].fd);
- if ((req->version != PROXY_PROTO_VERSION) ||
+ if ((ret != sizeof(virProxyPacket)) ||
+ (req->version != PROXY_PROTO_VERSION) ||
(req->len < sizeof(virProxyPacket)) ||
(req->len > sizeof(virProxyFullPacket)))
goto comm_error;
More information about the libvir-list
mailing list