qemu restore: don't let corrupt input provoke unwarranted OOM

* src/qemu/qemu_driver.c (qemudDomainRestore): A corrupt save file
(in particular, a too-large header.xml_len value) would cause an
unwarranted out-of-memory error.  Do not trust the just-read
header.xml_len.  Instead, merely use that as a hint, and
read/allocate up to that number of bytes from the file.
Also verify that header.xml_len is positive; if it were negative,
passing it to virFileReadLimFD could cause trouble.

diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 4707f721fe787f6df79ec575d582d7fef78d4b43..c6991b50eb916e2ff2ce97428e71ad31c6739ab1 100644 (file)
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -5117,12 +5117,13 @@ static int qemudDomainRestore(virConnectPtr conn,
         goto cleanup;
     }
 
-    if (VIR_ALLOC_N(xml, header.xml_len) < 0) {
-        virReportOOMError();
+    if (header.xml_len <= 0) {
+        qemuReportError(VIR_ERR_OPERATION_FAILED,
+                        _("invalid XML length: %d"), header.xml_len);
         goto cleanup;
     }
 
-    if (saferead(fd, xml, header.xml_len) != header.xml_len) {
+    if (virFileReadLimFD(fd, header.xml_len, &xml) != header.xml_len) {
         qemuReportError(VIR_ERR_OPERATION_FAILED,
                         "%s", _("failed to read XML"));
         goto cleanup;