| From ec6229c79abe05d731953df5f7e9a05ec9f6df79 Mon Sep 17 00:00:00 2001 |
| From: Frediano Ziglio <fziglio@redhat.com> |
| Date: Mon, 15 May 2017 15:57:28 +0100 |
| Subject: [PATCH] reds: Avoid integer overflows handling monitor |
| configuration |
| |
| Avoid VDAgentMessage::size integer overflows. |
| |
| Signed-off-by: Frediano Ziglio <fziglio@redhat.com> |
| Signed-off-by: Peter Korsgaard <peter@korsgaard.com> |
| --- |
| server/reds.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| diff --git a/server/reds.c b/server/reds.c |
| index 7be85fdf..e1c8c108 100644 |
| --- a/server/reds.c |
| +++ b/server/reds.c |
| @@ -1024,6 +1024,9 @@ static void reds_on_main_agent_monitors_config( |
| spice_debug("not enough data yet. %d", cmc->buffer_size); |
| return; |
| } |
| + if (msg_header->size < sizeof(VDAgentMonitorsConfig)) { |
| + goto overflow; |
| + } |
| monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header)); |
| spice_debug("%s: %d", __func__, monitors_config->num_of_monitors); |
| red_dispatcher_client_monitors_config(monitors_config); |
| -- |
| 2.11.0 |
| |