From 8251fa25ac0c0a9a8055a6eb7299d7d379341b94 Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Wed, 30 May 2018 14:32:10 +0100
Subject: [PATCH 22/43] Minimal message size check

Avoid some possible integer overflows.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
---
 vdagent/vdagent.cpp | 54 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)

diff --git a/vdagent/vdagent.cpp b/vdagent/vdagent.cpp
index 551f326..1e8f27c 100644
--- a/vdagent/vdagent.cpp
+++ b/vdagent/vdagent.cpp
@@ -1231,6 +1231,60 @@ void VDAgent::dispatch_message(VDAgentMessage* msg, uint32_t port)
 {
     bool res = true;
 
+    // check minimal message size
+    int min_size = -1;
+    switch (msg->type) {
+    case VD_AGENT_MOUSE_STATE:
+        min_size = sizeof(VDAgentMouseState);
+        break;
+    case VD_AGENT_MONITORS_CONFIG:
+        min_size = sizeof(VDAgentMonitorsConfig);
+        break;
+    case VD_AGENT_CLIPBOARD:
+        min_size = sizeof(VDAgentClipboard);
+        break;
+    case VD_AGENT_CLIPBOARD_GRAB:
+        min_size = sizeof(VDAgentClipboardGrab);
+        break;
+    case VD_AGENT_CLIPBOARD_REQUEST:
+        min_size = sizeof(VDAgentClipboardRequest);
+        break;
+    case VD_AGENT_CLIPBOARD_RELEASE:
+        min_size = sizeof(VDAgentClipboardRelease);
+        break;
+    case VD_AGENT_DISPLAY_CONFIG:
+        min_size = sizeof(VDAgentDisplayConfig);
+        break;
+    case VD_AGENT_ANNOUNCE_CAPABILITIES:
+        min_size = sizeof(VDAgentAnnounceCapabilities);
+        break;
+    case VD_AGENT_FILE_XFER_START:
+        min_size = sizeof(VDAgentFileXferStatusMessage);
+        break;
+    case VD_AGENT_FILE_XFER_STATUS:
+        min_size = sizeof(VDAgentFileXferStatusMessage);
+        break;
+    case VD_AGENT_FILE_XFER_DATA:
+        min_size = sizeof(VDAgentFileXferDataMessage);
+        break;
+    case VD_AGENT_CLIENT_DISCONNECTED:
+        min_size = 0;
+        break;
+    case VD_AGENT_MAX_CLIPBOARD:
+        min_size = sizeof(VDAgentMaxClipboard);
+        break;
+    }
+    if (min_size < 0) {
+        vd_printf("Unsupported message type %u size %u", msg->type, msg->size);
+        _running = false;
+        return;
+    }
+    if (msg->size < (unsigned) min_size) {
+        vd_printf("Unexpected msg size %u for message type %u", msg->size, msg->type);
+        _running = false;
+        return;
+    }
+
     switch (msg->type) {
     case VD_AGENT_MOUSE_STATE:
         res = handle_mouse_event((VDAgentMouseState*)msg->data);
-- 
2.17.1