uml: sanity check external data before using it

Otherwise, a malicious packet could cause a DoS via spurious
out-of-memory failure.

* src/uml/uml_driver.c (umlMonitorCommand): Validate that incoming
data is reliable before using it to allocate/dereference memory.
Don't report bogus errno on short read.
Reported by Jim Meyering.

diff --git a/src/uml/uml_driver.c b/src/uml/uml_driver.c
index 31112115c129a84ccc248d257f16649d08623561..1cbd0bd81c8234f7069808fc3794913229b2ad88 100644 (file)
--- a/src/uml/uml_driver.c
+++ b/src/uml/uml_driver.c
@@ -734,15 +734,15 @@ static int umlMonitorCommand(const struct uml_driver *driver,
         if (nbytes < 0) {
             if (errno == EAGAIN || errno == EINTR)
                 continue;
-            virReportSystemError(errno,
-                                 _("cannot read reply %s"),
-                                 cmd);
+            virReportSystemError(errno, _("cannot read reply %s"), cmd);
             goto error;
         }
         if (nbytes < sizeof res) {
-            virReportSystemError(errno,
-                                 _("incomplete reply %s"),
-                                 cmd);
+            virReportSystemError(0, _("incomplete reply %s"), cmd);
+            goto error;
+        }
+        if (sizeof res.data < res.length) {
+            virReportSystemError(0, _("invalid length in reply %s"), cmd);
             goto error;
         }