Integer overflow and remote code are never a nice mix.
This has existed since commit
56cd414.
* src/libvirt.c (virDomainGetVcpus): Reject overflow up front.
* src/remote/remote_driver.c (remoteDomainGetVcpus): Avoid overflow
on sending rpc.
* daemon/remote.c (remoteDispatchDomainGetVcpus): Avoid overflow on
receiving rpc.
#include "network.h"
#include "libvirt/libvirt-qemu.h"
#include "command.h"
+#include "intprops.h"
#define VIR_FROM_THIS VIR_FROM_REMOTE
goto cleanup;
}
- if (args->maxinfo * args->maplen > REMOTE_CPUMAPS_MAX) {
+ if (INT_MULTIPLY_OVERFLOW(args->maxinfo, args->maplen) ||
+ args->maxinfo * args->maplen > REMOTE_CPUMAPS_MAX) {
virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo * maplen > REMOTE_CPUMAPS_MAX"));
goto cleanup;
}
#include "util.h"
#include "memory.h"
#include "configmake.h"
+#include "intprops.h"
#ifndef WITH_DRIVER_MODULES
# ifdef WITH_TEST
/* Ensure that domainGetVcpus (aka remoteDomainGetVcpus) does not
try to memcpy anything into a NULL pointer. */
- if ((cpumaps == NULL && maplen != 0)
- || (cpumaps && maplen <= 0)) {
+ if (!cpumaps ? maplen != 0
+ : (maplen <= 0 || INT_MULTIPLY_OVERFLOW(maxinfo, maplen))) {
virLibDomainError(VIR_ERR_INVALID_ARG, __FUNCTION__);
goto error;
}
#include "ignore-value.h"
#include "files.h"
#include "command.h"
+#include "intprops.h"
#define VIR_FROM_THIS VIR_FROM_REMOTE
maxinfo, REMOTE_VCPUINFO_MAX);
goto done;
}
- if (maxinfo * maplen > REMOTE_CPUMAPS_MAX) {
+ if (INT_MULTIPLY_OVERFLOW(maxinfo, maplen) ||
+ maxinfo * maplen > REMOTE_CPUMAPS_MAX) {
remoteError(VIR_ERR_RPC,
_("vCPU map buffer length exceeds maximum: %d > %d"),
maxinfo * maplen, REMOTE_CPUMAPS_MAX);
projects / people / liuw / libxenctrl-split / libvirt.git / commitdiff