44 lines
1.7 KiB
Diff
44 lines
1.7 KiB
Diff
|
From 3e8cab6da1a1572db9a91ee21687ab5dca7671b1 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Frediano Ziglio <fziglio@redhat.com>
|
||
|
|
Date: Sat, 26 May 2018 07:53:51 +0100
|
||
|
|
Subject: [PATCH 25/43] Minor overflow checks improvements
|
||
|
|
|
||
|
|
Although source of these data should be safe, improve data checks
|
||
|
|
to avoid some overflows and make the code more robust.
|
||
|
|
|
||
|
|
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
|
||
|
|
Acked-by: Jonathon Jongsma <jjongsma@redhat.com>
|
||
|
|
---
|
||
|
|
vdagent/vdagent.cpp | 8 +++++++-
|
||
|
|
1 file changed, 7 insertions(+), 1 deletion(-)
|
||
|
|
|
||
|
|
diff --git a/vdagent/vdagent.cpp b/vdagent/vdagent.cpp
|
||
|
|
index cf492cc..9fbff3d 100644
|
||
|
|
--- a/vdagent/vdagent.cpp
|
||
|
|
+++ b/vdagent/vdagent.cpp
|
||
|
|
@@ -1368,7 +1368,7 @@ VOID VDAgent::read_completion(DWORD err, DWORD bytes, LPOVERLAPPED overlapped)
|
||
|
|
count = sizeof(VDIChunk) - a->_read_pos;
|
||
|
|
} else if (a->_read_pos == sizeof(VDIChunk)) {
|
||
|
|
count = chunk->hdr.size;
|
||
|
|
- if (a->_read_pos + count > sizeof(a->_read_buf)) {
|
||
|
|
+ if (count > sizeof(a->_read_buf) - a->_read_pos) {
|
||
|
|
vd_printf("chunk is too large, size %u port %u", chunk->hdr.size, chunk->hdr.port);
|
||
|
|
a->_running = false;
|
||
|
|
return;
|
||
|
|
@@ -1420,6 +1420,12 @@ void VDAgent::handle_chunk(VDIChunk* chunk)
|
||
|
|
}
|
||
|
|
|
||
|
|
// the previous chunk was a partial message, so append this chunk to the previous chunk
|
||
|
|
+ if (chunk->hdr.size > sizeof(VDAgentMessage) + _in_msg->size - _in_msg_pos) {
|
||
|
|
+ vd_printf("Invalid VDAgentMessage message");
|
||
|
|
+ _running = false;
|
||
|
|
+ return;
|
||
|
|
+ }
|
||
|
|
+
|
||
|
|
memcpy((uint8_t*)_in_msg + _in_msg_pos, chunk->data, chunk->hdr.size);
|
||
|
|
_in_msg_pos += chunk->hdr.size;
|
||
|
|
// update clipboard tick on each clipboard chunk for timeout setting
|
||
|
|
--
|
||
|
|
2.17.1
|
||
|
|
|