84 lines
2.8 KiB
Diff
84 lines
2.8 KiB
Diff
|
commit 774b21c163845170c9ffa873f5720d318812eaf6
|
||
|
Author: Eric Blake <eblake@redhat.com>
|
||
|
Date: Fri Jun 24 12:16:05 2011 -0600
|
||
|
|
||
|
remote: protect against integer overflow
|
||
|
|
||
|
Integer overflow and remote code are never a nice mix.
|
||
|
|
||
|
This has existed since commit 56cd414.
|
||
|
|
||
|
* src/libvirt.c (virDomainGetVcpus): Reject overflow up front.
|
||
|
* src/remote/remote_driver.c (remoteDomainGetVcpus): Avoid overflow
|
||
|
on sending rpc.
|
||
|
* daemon/remote.c (remoteDispatchDomainGetVcpus): Avoid overflow on
|
||
|
receiving rpc.
|
||
|
|
||
|
Index: libvirt-0.9.2/daemon/remote.c
|
||
|
===================================================================
|
||
|
--- libvirt-0.9.2.orig/daemon/remote.c
|
||
|
+++ libvirt-0.9.2/daemon/remote.c
|
||
|
@@ -61,6 +61,7 @@
|
||
|
#include "network.h"
|
||
|
#include "libvirt/libvirt-qemu.h"
|
||
|
#include "command.h"
|
||
|
+#include "intprops.h"
|
||
|
|
||
|
#define VIR_FROM_THIS VIR_FROM_REMOTE
|
||
|
|
||
|
@@ -1074,7 +1075,8 @@ remoteDispatchDomainGetVcpus(struct qemu
|
||
|
goto cleanup;
|
||
|
}
|
||
|
|
||
|
- if (args->maxinfo * args->maplen > REMOTE_CPUMAPS_MAX) {
|
||
|
+ if (INT_MULTIPLY_OVERFLOW(args->maxinfo, args->maplen) ||
|
||
|
+ args->maxinfo * args->maplen > REMOTE_CPUMAPS_MAX) {
|
||
|
virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo * maplen > REMOTE_CPUMAPS_MAX"));
|
||
|
goto cleanup;
|
||
|
}
|
||
|
Index: libvirt-0.9.2/src/libvirt.c
|
||
|
===================================================================
|
||
|
--- libvirt-0.9.2.orig/src/libvirt.c
|
||
|
+++ libvirt-0.9.2/src/libvirt.c
|
||
|
@@ -39,6 +39,7 @@
|
||
|
#include "util.h"
|
||
|
#include "memory.h"
|
||
|
#include "configmake.h"
|
||
|
+#include "intprops.h"
|
||
|
|
||
|
#ifndef WITH_DRIVER_MODULES
|
||
|
# ifdef WITH_TEST
|
||
|
@@ -6805,8 +6806,8 @@ virDomainGetVcpus(virDomainPtr domain, v
|
||
|
|
||
|
/* Ensure that domainGetVcpus (aka remoteDomainGetVcpus) does not
|
||
|
try to memcpy anything into a NULL pointer. */
|
||
|
- if ((cpumaps == NULL && maplen != 0)
|
||
|
- || (cpumaps && maplen <= 0)) {
|
||
|
+ if (!cpumaps ? maplen != 0
|
||
|
+ : (maplen <= 0 || INT_MULTIPLY_OVERFLOW(maxinfo, maplen))) {
|
||
|
virLibDomainError(VIR_ERR_INVALID_ARG, __FUNCTION__);
|
||
|
goto error;
|
||
|
}
|
||
|
Index: libvirt-0.9.2/src/remote/remote_driver.c
|
||
|
===================================================================
|
||
|
--- libvirt-0.9.2.orig/src/remote/remote_driver.c
|
||
|
+++ libvirt-0.9.2/src/remote/remote_driver.c
|
||
|
@@ -84,6 +84,7 @@
|
||
|
#include "ignore-value.h"
|
||
|
#include "files.h"
|
||
|
#include "command.h"
|
||
|
+#include "intprops.h"
|
||
|
|
||
|
#define VIR_FROM_THIS VIR_FROM_REMOTE
|
||
|
|
||
|
@@ -2032,7 +2033,8 @@ remoteDomainGetVcpus (virDomainPtr domai
|
||
|
maxinfo, REMOTE_VCPUINFO_MAX);
|
||
|
goto done;
|
||
|
}
|
||
|
- if (maxinfo * maplen > REMOTE_CPUMAPS_MAX) {
|
||
|
+ if (INT_MULTIPLY_OVERFLOW(maxinfo, maplen) ||
|
||
|
+ maxinfo * maplen > REMOTE_CPUMAPS_MAX) {
|
||
|
remoteError(VIR_ERR_RPC,
|
||
|
_("vCPU map buffer length exceeds maximum: %d > %d"),
|
||
|
maxinfo * maplen, REMOTE_CPUMAPS_MAX);
|