044d25bcda
Regenerate the patches using --no-signature --zero-commit --no-numbered as it makes it easier to regenerate exactly the same patches on a different setup.
30 lines
1.1 KiB
Diff
30 lines
1.1 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Frediano Ziglio <fziglio@redhat.com>
|
|
Date: Tue, 29 Nov 2016 16:46:56 +0000
|
|
Subject: [spice-server] main-channel: Prevent overflow reading messages from
|
|
client
|
|
|
|
Caller is supposed the function return a buffer able to store
|
|
size bytes.
|
|
|
|
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
|
|
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
|
|
---
|
|
server/main-channel.c | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/server/main-channel.c b/server/main-channel.c
|
|
index 24dd448..1124506 100644
|
|
--- a/server/main-channel.c
|
|
+++ b/server/main-channel.c
|
|
@@ -258,6 +258,9 @@ static uint8_t *main_channel_alloc_msg_rcv_buf(RedChannelClient *rcc,
|
|
|
|
if (type == SPICE_MSGC_MAIN_AGENT_DATA) {
|
|
return reds_get_agent_data_buffer(red_channel_get_server(channel), mcc, size);
|
|
+ } else if (size > sizeof(main_chan->recv_buf)) {
|
|
+ /* message too large, caller will log a message and close the connection */
|
|
+ return NULL;
|
|
} else {
|
|
return main_chan->recv_buf;
|
|
}
|