File bc251ea9-CVE-2018-5748.patch of Package libvirt.11695

commit bc251ea91bcfddd2622fce6bce701a438b2e7276
Author: Daniel P. Berrange <berrange@redhat.com>
Date:   Tue Jan 16 17:00:11 2018 +0000

    qemu: avoid denial of service reading from QEMU monitor (CVE-2018-5748)
    
    We read from QEMU until seeing a \r\n pair to indicate a completed reply
    or event. To avoid memory denial-of-service though, we must have a size
    limit on amount of data we buffer. 10 MB is large enough that it ought
    to cope with normal QEMU replies, and small enough that we're not
    consuming unreasonable mem.
    
    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

Index: libvirt-1.2.5/src/qemu/qemu_monitor.c
===================================================================
--- libvirt-1.2.5.orig/src/qemu/qemu_monitor.c
+++ libvirt-1.2.5/src/qemu/qemu_monitor.c
@@ -54,6 +54,15 @@ VIR_LOG_INIT("qemu.qemu_monitor");
 #define DEBUG_IO 0
 #define DEBUG_RAW_IO 0
 
+/* We read from QEMU until seeing a \r\n pair to indicate a
+ * completed reply or event. To avoid memory denial-of-service
+ * though, we must have a size limit on amount of data we
+ * buffer. 10 MB is large enough that it ought to cope with
+ * normal QEMU replies, and small enough that we're not
+ * consuming unreasonable mem.
+ */
+#define QEMU_MONITOR_MAX_RESPONSE (10 * 1024 * 1024)
+
 struct _qemuMonitor {
     virObjectLockable parent;
 
@@ -536,6 +545,12 @@ qemuMonitorIORead(qemuMonitorPtr mon)
     int ret = 0;
 
     if (avail < 1024) {
+        if (mon->bufferLength >= QEMU_MONITOR_MAX_RESPONSE) {
+            virReportSystemError(ERANGE,
+                                 _("No complete monitor response found in %d bytes"),
+                                 QEMU_MONITOR_MAX_RESPONSE);
+            return -1;
+        }
         if (VIR_REALLOC_N(mon->buffer,
                           mon->bufferLength + 1024) < 0)
             return -1;