[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH] uml: fix logic bug in checking reply length



* src/uml/uml_driver.c (umlMonitorCommand): Validate that enough
bytes were read to dereference both res.length, and that many
bytes from res.data.
Reported by Soren Hansen.
---

> Yup, this looks good.

I'll wait for a third-party ack before pushing this.

Meanwhile, I discovered a bug in Solaris' implementation of
offsetof.  POSIX requires that offsetof be an integer
constant expression, which means that:

sizeof offsetof(a,b)

should compile.  But Solaris (and probably other buggy systems)
used too few parens in their macro, and you have to use:

sizeof(offsetof(a,b))

instead.  Interesting trivia, but at least it doesn't affect
any of libvirt's existing uses of offsetof.

 src/uml/uml_driver.c |    7 ++-----
 1 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/src/uml/uml_driver.c b/src/uml/uml_driver.c
index 04493ba..37ddc39 100644
--- a/src/uml/uml_driver.c
+++ b/src/uml/uml_driver.c
@@ -737,14 +737,11 @@ static int umlMonitorCommand(const struct uml_driver *driver,
             virReportSystemError(errno, _("cannot read reply %s"), cmd);
             goto error;
         }
-        if (nbytes < sizeof res) {
+        if (nbytes < offsetof(struct monitor_request, data) ||
+            nbytes < res.length + offsetof(struct monitor_request, data)) {
             virReportSystemError(0, _("incomplete reply %s"), cmd);
             goto error;
         }
-        if (sizeof res.data < res.length) {
-            virReportSystemError(0, _("invalid length in reply %s"), cmd);
-            goto error;
-        }

         if (VIR_REALLOC_N(retdata, retlen + res.length) < 0) {
             virReportOOMError();
-- 
1.7.2.1


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]