[libvirt] [PATCH] proxy: Fix use of uninitalized memory

Rasputin Tue, 27 Jan 2009 11:14:40 -0800

On short read, members of packet header are checked before actually read.
If uninitialized values can pass the test, they can be set to arbitrary
values while reading remaining portion of a packet.


Buffer overflow is possible. libvirt_proxy is suid-root.


diff -urp libvirt-0.5.1/proxy/libvirt_proxy.c libvirt-dev/proxy/libvirt_proxy.c
--- libvirt-0.5.1/proxy/libvirt_proxy.c 2008-11-20 08:58:43.000000000 +0100
+++ libvirt-dev/proxy/libvirt_proxy.c   2009-01-25 12:51:33.000000000 +0100
@@ -385,7 +385,8 @@ retry:
        fprintf(stderr, "read %d bytes from client %d on socket %d\n",
                ret, nr, pollInfos[nr].fd);

-    if ((req->version != PROXY_PROTO_VERSION) ||
+    if ((ret != sizeof(virProxyPacket)) ||
+        (req->version != PROXY_PROTO_VERSION) ||
        (req->len < sizeof(virProxyPacket)) ||
        (req->len > sizeof(virProxyFullPacket)))
        goto comm_error;

--
Libvir-list mailing list
Libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCH] proxy: Fix use of uninitalized memory

Reply via email to