File 774b21c1-CVE-2011-2511.patch of Package libvirt.import5774

commit 774b21c163845170c9ffa873f5720d318812eaf6
Author: Eric Blake <eblake@redhat.com>
Date:   Fri Jun 24 12:16:05 2011 -0600

    remote: protect against integer overflow
    
    Integer overflow and remote code are never a nice mix.
    
    This has existed since commit 56cd414.
    
    * src/libvirt.c (virDomainGetVcpus): Reject overflow up front.
    * src/remote/remote_driver.c (remoteDomainGetVcpus): Avoid overflow
    on sending rpc.
    * daemon/remote.c (remoteDispatchDomainGetVcpus): Avoid overflow on
    receiving rpc.

Index: libvirt-0.8.8/daemon/remote.c
===================================================================
--- libvirt-0.8.8.orig/daemon/remote.c
+++ libvirt-0.8.8/daemon/remote.c
@@ -60,6 +60,7 @@
 #include "uuid.h"
 #include "network.h"
 #include "libvirt/libvirt-qemu.h"
+#include "intprops-supp.h"
 
 #define VIR_FROM_THIS VIR_FROM_REMOTE
 #define REMOTE_DEBUG(fmt, ...) DEBUG(fmt, __VA_ARGS__)
@@ -1722,7 +1723,8 @@ remoteDispatchDomainGetVcpus (struct qem
         return -1;
     }
 
-    if (args->maxinfo * args->maplen > REMOTE_CPUMAPS_MAX) {
+    if (INT_MULTIPLY_OVERFLOW(args->maxinfo, args->maplen) ||
+        args->maxinfo * args->maplen > REMOTE_CPUMAPS_MAX) {
         virDomainFree(dom);
         remoteDispatchFormatError (rerr, "%s", _("maxinfo * maplen > REMOTE_CPUMAPS_MAX"));
         return -1;
Index: libvirt-0.8.8/src/libvirt.c
===================================================================
--- libvirt-0.8.8.orig/src/libvirt.c
+++ libvirt-0.8.8/src/libvirt.c
@@ -40,6 +40,7 @@
 #include "util.h"
 #include "memory.h"
 #include "configmake.h"
+#include "intprops-supp.h"
 
 #ifndef WITH_DRIVER_MODULES
 # ifdef WITH_TEST
@@ -5363,8 +5364,8 @@ virDomainGetVcpus(virDomainPtr domain, v
 
     /* Ensure that domainGetVcpus (aka remoteDomainGetVcpus) does not
        try to memcpy anything into a NULL pointer.  */
-    if ((cpumaps == NULL && maplen != 0)
-        || (cpumaps && maplen <= 0)) {
+    if (!cpumaps ? maplen != 0
+        : (maplen <= 0 || INT_MULTIPLY_OVERFLOW(maxinfo, maplen))) {
         virLibDomainError(VIR_ERR_INVALID_ARG, __FUNCTION__);
         goto error;
     }
Index: libvirt-0.8.8/src/remote/remote_driver.c
===================================================================
--- libvirt-0.8.8.orig/src/remote/remote_driver.c
+++ libvirt-0.8.8/src/remote/remote_driver.c
@@ -83,6 +83,7 @@
 #include "event.h"
 #include "ignore-value.h"
 #include "files.h"
+#include "intprops-supp.h"
 
 #define VIR_FROM_THIS VIR_FROM_REMOTE
 
@@ -2850,7 +2851,8 @@ remoteDomainGetVcpus (virDomainPtr domai
                     maxinfo, REMOTE_VCPUINFO_MAX);
         goto done;
     }
-    if (maxinfo * maplen > REMOTE_CPUMAPS_MAX) {
+    if (INT_MULTIPLY_OVERFLOW(maxinfo, maplen) ||
+        maxinfo * maplen > REMOTE_CPUMAPS_MAX) {
         remoteError(VIR_ERR_RPC,
                     _("vCPU map buffer length exceeds maximum: %d > %d"),
                     maxinfo * maplen, REMOTE_CPUMAPS_MAX);
openSUSE Build Service is sponsored by