33 lines
1.1 KiB
Diff
33 lines
1.1 KiB
Diff
From 1d3e26c0ee75712fa4bbbcfa09d8d5866b66c8af Mon Sep 17 00:00:00 2001
|
|
From: Frediano Ziglio <fziglio@redhat.com>
|
|
Date: Tue, 29 Nov 2016 16:46:56 +0000
|
|
Subject: [spice-server 3/3] main-channel: Prevent overflow reading messages
|
|
from client
|
|
|
|
Caller is supposed the function return a buffer able to store
|
|
size bytes.
|
|
|
|
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
|
|
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
|
|
---
|
|
server/main-channel.c | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/server/main-channel.c b/server/main-channel.c
|
|
index 24dd448..1124506 100644
|
|
--- a/server/main-channel.c
|
|
+++ b/server/main-channel.c
|
|
@@ -258,6 +258,9 @@ static uint8_t *main_channel_alloc_msg_rcv_buf(RedChannelClient *rcc,
|
|
|
|
if (type == SPICE_MSGC_MAIN_AGENT_DATA) {
|
|
return reds_get_agent_data_buffer(red_channel_get_server(channel), mcc, size);
|
|
+ } else if (size > sizeof(main_chan->recv_buf)) {
|
|
+ /* message too large, caller will log a message and close the connection */
|
|
+ return NULL;
|
|
} else {
|
|
return main_chan->recv_buf;
|
|
}
|
|
--
|
|
2.9.3
|
|
|