libvirt_proxy: avoid potential buffer overflow

* proxy/libvirt_proxy.c (proxyReadClientSocket): Ensure that
we've read an entire virProxyPacket before dereferencing "req".
Analysis and patch by "Rasputin" <rasputin@email.ru>.  Details in
<http://thread.gmane.org/gmane.comp.emulators.libvirt/11459>.

diff --git a/ChangeLog b/ChangeLog
index 8e6f62720d13d42f2fec8e3f10f8ecdf5dba067d..0c89eb8ab1b206c051a241fe04d44748e5ff42f4 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+Wed Jan 28 14:27:11 +0100 2009 Jim Meyering <meyering@redhat.com>
+
+       libvirt_proxy: avoid potential buffer overflow
+       * proxy/libvirt_proxy.c (proxyReadClientSocket): Ensure that
+       we've read an entire virProxyPacket before dereferencing "req".
+       Analysis and patch by "Rasputin" <rasputin@email.ru>.  Details in
+       <http://thread.gmane.org/gmane.comp.emulators.libvirt/11459>.
+
 Wed Jan 28 14:53:37 +0100 2009 Jim Meyering <meyering@redhat.com>
 
        * po/POTFILES.in: Add src/lxc_conf.c

diff --git a/proxy/libvirt_proxy.c b/proxy/libvirt_proxy.c
index f3d9edeacbfe56b3dc0afa15f693e04f201ea585..863dc3278a7c3beb50ab361009a5e592e0e6485b 100644 (file)
--- a/proxy/libvirt_proxy.c
+++ b/proxy/libvirt_proxy.c
@@ -2,7 +2,7 @@
  * proxy_svr.c: root suid proxy server for Xen access to APIs with no
  *              side effects from unauthenticated clients.
  *
- * Copyright (C) 2006, 2007, 2008 Red Hat, Inc.
+ * Copyright (C) 2006, 2007, 2008, 2009 Red Hat, Inc.
  *
  * See COPYING.LIB for the License of this software
  *
@@ -382,7 +382,8 @@ retry:
         fprintf(stderr, "read %d bytes from client %d on socket %d\n",
                 ret, nr, pollInfos[nr].fd);
 
-    if ((req->version != PROXY_PROTO_VERSION) ||
+    if ((ret != sizeof(virProxyPacket)) ||
+        (req->version != PROXY_PROTO_VERSION) ||
         (req->len < sizeof(virProxyPacket)) ||
         (req->len > sizeof(virProxyFullPacket)))
         goto comm_error;