From 5324e83bf636b995522088d508e61ba5543777f4 Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Thu, 19 Mar 2020 06:07:39 +0000
Subject: [PATCH 2/9] channel-main: Check proper size and caps handling
 VD_AGENT_FILE_XFER_STATUS_NOT_ENOUGH_SPACE

VDAgentFileXferStatusMessage message can or cannot contain detailed
information attached to it.
Detect this correctly checking capabilities and flags.
This fixes a small buffer overflow reading in case the details are
off the payload.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Victor Toso <victortoso@redhat.com>
(cherry picked from commit b13fd0664075c951f5418f5828c0803408ad664d)
---
 meson.build        |  2 +-
 src/channel-main.c | 16 +++++++++++++---
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/meson.build b/meson.build
index 995268b..8098989 100644
--- a/meson.build
+++ b/meson.build
@@ -81,7 +81,7 @@ endforeach
 #
 # check for mandatory dependencies
 #
-spice_protocol_version='>= 0.14.1'
+spice_protocol_version='>= 0.14.2'
 
 glib_version = '2.46'
 glib_version_info = '>= @0@'.format(glib_version)
diff --git a/src/channel-main.c b/src/channel-main.c
index e89b813..c4fe02b 100644
--- a/src/channel-main.c
+++ b/src/channel-main.c
@@ -1891,6 +1891,7 @@ static void file_xfer_read_async_cb(GObject *source_object,
 
 /* coroutine context */
 static void main_agent_handle_xfer_status(SpiceMainChannel *channel,
+                                          const VDAgentMessage *msg_hdr,
                                           VDAgentFileXferStatusMessage *msg)
 {
     SpiceFileTransferTask *xfer_task;
@@ -1917,8 +1918,17 @@ static void main_agent_handle_xfer_status(SpiceMainChannel *channel,
                                     _("The spice agent reported an error during the file transfer"));
         break;
     case VD_AGENT_FILE_XFER_STATUS_NOT_ENOUGH_SPACE: {
-        uint64_t *free_space = SPICE_ALIGNED_CAST(uint64_t *, msg->data);
-        gchar *free_space_str = g_format_size(*free_space);
+        const VDAgentFileXferStatusNotEnoughSpace *err =
+            (VDAgentFileXferStatusNotEnoughSpace*) msg->data;
+        if (!test_agent_cap(channel, VD_AGENT_CAP_FILE_XFER_DETAILED_ERRORS) ||
+            msg_hdr->size < sizeof(*msg) + sizeof(*err)) {
+            error =
+                g_error_new(SPICE_CLIENT_ERROR, SPICE_CLIENT_ERROR_FAILED,
+                            _("File transfer failed due to lack of free space on remote machine"));
+            break;
+        }
+
+        gchar *free_space_str = g_format_size(err->disk_free_space);
         gchar *file_size_str = g_format_size(spice_file_transfer_task_get_total_bytes(xfer_task));
         error = g_error_new(SPICE_CLIENT_ERROR, SPICE_CLIENT_ERROR_FAILED,
                             _("File transfer failed due to lack of free space on remote machine "
@@ -2110,7 +2120,7 @@ static void main_agent_handle_msg(SpiceChannel *channel,
         break;
     }
     case VD_AGENT_FILE_XFER_STATUS:
-        main_agent_handle_xfer_status(self, payload);
+        main_agent_handle_xfer_status(self, msg, payload);
         break;
     default:
         g_warning("unhandled agent message type: %u (%s), size %u",
-- 
2.26.2