Bin Guo <[email protected]> writes: > multifd_recv_initial_packet() validates the channel ID received from > the source against the configured number of channels. The current > check uses '>' which allows msg.id == N to pass through. This ID is > then used to index multifd_recv_state->params[msg.id], which was > allocated with g_new0(MultiFDRecvParams, N) -- an out-of-bounds > access. > > A malicious or buggy source could send id == N and cause heap > corruption on the destination. > > Fix by changing '>' to '>='. Also fix the error message to say > "exceeds channel count" for accuracy. > > Signed-off-by: Bin Guo <[email protected]> > --- > migration/multifd.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/migration/multifd.c b/migration/multifd.c > index 035cb70f7b..b3eef875cc 100644 > --- a/migration/multifd.c > +++ b/migration/multifd.c > @@ -210,9 +210,9 @@ static int multifd_recv_initial_packet(QIOChannel *c, > Error **errp) > return -1; > } > > - if (msg.id > migrate_multifd_channels()) { > - error_setg(errp, "multifd: received channel id %u is greater than " > - "number of channels %u", msg.id, > migrate_multifd_channels()); > + if (msg.id >= migrate_multifd_channels()) { > + error_setg(errp, "multifd: received channel id %u exceeds " > + "channel count %u", msg.id, migrate_multifd_channels()); > return -1; > }
Reviewed-by: Fabiano Rosas <[email protected]>
