On Thu, Sep 12, 2019 at 05:34:35PM +0200, Stefan Hajnoczi wrote:
> On Tue, Sep 03, 2019 at 04:37:33PM -0400, Jagannathan Raman wrote:
> > + msg->num_fds = 0;
> > + for (chdr = CMSG_FIRSTHDR(&hdr); chdr != NULL;
> > + chdr = CMSG_NXTHDR(&hdr, chdr)) {
> > + if ((chdr->cmsg_level == SOL_SOCKET) &&
> > + (chdr->cmsg_type == SCM_RIGHTS)) {
> > + fdsize = chdr->cmsg_len - CMSG_LEN(0);
> > + msg->num_fds = fdsize / sizeof(int);
> > + memcpy(msg->fds, CMSG_DATA(chdr), fdsize);
>
> Please validate num_fds before memcpy to prevent the buffer overflow.
>
> > + break;
> > + }
> > + }
> > +
> > + if (msg->size && msg->bytestream) {
> > + msg->data2 = calloc(1, msg->size);
> > + data = msg->data2;
> > + } else {
> > + data = (uint8_t *)&msg->data1;
> > + }
> > +
> > + if (msg->size) {
> > + do {
> > + rc = read(sock, data, msg->size);
> > + } while (rc < 0 && (errno == EINTR || errno == EAGAIN));
> > + }
>
> Please validate size to prevent the buffer overflow.I didn't see a reply so I want to highlight that the effort to introduce isolation between devices is pointless if the communications link is not coded securely. Multi-process QEMU adds no security if one process can corrupt the memory of another process by sending invalid inputs. Please audit the code. Stefan
signature.asc
Description: PGP signature
