| From a957a90baf2c62d31f3547e56bba7d0e812d2331 Mon Sep 17 00:00:00 2001 |
| From: Frediano Ziglio <fziglio@redhat.com> |
| Date: Mon, 15 May 2017 15:57:28 +0100 |
| Subject: [PATCH] reds: Avoid buffer overflows handling monitor |
| configuration |
| |
| It was also possible for a malicious client to set |
| VDAgentMonitorsConfig::num_of_monitors to a number larger |
| than the actual size of VDAgentMOnitorsConfig::monitors. |
| This would lead to buffer overflows, which could allow the guest to |
| read part of the host memory. This might cause write overflows in the |
| host as well, but controlling the content of such buffers seems |
| complicated. |
| |
| Signed-off-by: Frediano Ziglio <fziglio@redhat.com> |
| Signed-off-by: Peter Korsgaard <peter@korsgaard.com> |
| --- |
| server/reds.c | 7 +++++++ |
| 1 file changed, 7 insertions(+) |
| |
| diff --git a/server/reds.c b/server/reds.c |
| index e1c8c108..3a42c375 100644 |
| --- a/server/reds.c |
| +++ b/server/reds.c |
| @@ -1000,6 +1000,7 @@ static void reds_on_main_agent_monitors_config( |
| VDAgentMessage *msg_header; |
| VDAgentMonitorsConfig *monitors_config; |
| RedsClientMonitorsConfig *cmc = &reds->client_monitors_config; |
| + uint32_t max_monitors; |
| |
| // limit size of message sent by the client as this can cause a DoS through |
| // memory exhaustion, or potentially some integer overflows |
| @@ -1028,6 +1029,12 @@ static void reds_on_main_agent_monitors_config( |
| goto overflow; |
| } |
| monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header)); |
| + // limit the monitor number to avoid buffer overflows |
| + max_monitors = (msg_header->size - sizeof(VDAgentMonitorsConfig)) / |
| + sizeof(VDAgentMonConfig); |
| + if (monitors_config->num_of_monitors > max_monitors) { |
| + goto overflow; |
| + } |
| spice_debug("%s: %d", __func__, monitors_config->num_of_monitors); |
| red_dispatcher_client_monitors_config(monitors_config); |
| reds_client_monitors_config_cleanup(); |
| -- |
| 2.11.0 |
| |