[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH] proxy: Fix use of uninitalized memory



On short read, members of packet header are checked before actually read.
If uninitialized values can pass the test, they can be set to arbitrary
values while reading remaining portion of a packet.

Buffer overflow is possible. libvirt_proxy is suid-root.


diff -urp libvirt-0.5.1/proxy/libvirt_proxy.c libvirt-dev/proxy/libvirt_proxy.c
--- libvirt-0.5.1/proxy/libvirt_proxy.c 2008-11-20 08:58:43.000000000 +0100
+++ libvirt-dev/proxy/libvirt_proxy.c   2009-01-25 12:51:33.000000000 +0100
@@ -385,7 +385,8 @@ retry:
        fprintf(stderr, "read %d bytes from client %d on socket %d\n",
                ret, nr, pollInfos[nr].fd);

-    if ((req->version != PROXY_PROTO_VERSION) ||
+    if ((ret != sizeof(virProxyPacket)) ||
+        (req->version != PROXY_PROTO_VERSION) ||
        (req->len < sizeof(virProxyPacket)) ||
        (req->len > sizeof(virProxyFullPacket)))
        goto comm_error;


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]