Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:11.4:Update
libvirt.import5774
774b21c1-CVE-2011-2511.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 774b21c1-CVE-2011-2511.patch of Package libvirt.import5774
commit 774b21c163845170c9ffa873f5720d318812eaf6 Author: Eric Blake <eblake@redhat.com> Date: Fri Jun 24 12:16:05 2011 -0600 remote: protect against integer overflow Integer overflow and remote code are never a nice mix. This has existed since commit 56cd414. * src/libvirt.c (virDomainGetVcpus): Reject overflow up front. * src/remote/remote_driver.c (remoteDomainGetVcpus): Avoid overflow on sending rpc. * daemon/remote.c (remoteDispatchDomainGetVcpus): Avoid overflow on receiving rpc. Index: libvirt-0.8.8/daemon/remote.c =================================================================== --- libvirt-0.8.8.orig/daemon/remote.c +++ libvirt-0.8.8/daemon/remote.c @@ -60,6 +60,7 @@ #include "uuid.h" #include "network.h" #include "libvirt/libvirt-qemu.h" +#include "intprops-supp.h" #define VIR_FROM_THIS VIR_FROM_REMOTE #define REMOTE_DEBUG(fmt, ...) DEBUG(fmt, __VA_ARGS__) @@ -1722,7 +1723,8 @@ remoteDispatchDomainGetVcpus (struct qem return -1; } - if (args->maxinfo * args->maplen > REMOTE_CPUMAPS_MAX) { + if (INT_MULTIPLY_OVERFLOW(args->maxinfo, args->maplen) || + args->maxinfo * args->maplen > REMOTE_CPUMAPS_MAX) { virDomainFree(dom); remoteDispatchFormatError (rerr, "%s", _("maxinfo * maplen > REMOTE_CPUMAPS_MAX")); return -1; Index: libvirt-0.8.8/src/libvirt.c =================================================================== --- libvirt-0.8.8.orig/src/libvirt.c +++ libvirt-0.8.8/src/libvirt.c @@ -40,6 +40,7 @@ #include "util.h" #include "memory.h" #include "configmake.h" +#include "intprops-supp.h" #ifndef WITH_DRIVER_MODULES # ifdef WITH_TEST @@ -5363,8 +5364,8 @@ virDomainGetVcpus(virDomainPtr domain, v /* Ensure that domainGetVcpus (aka remoteDomainGetVcpus) does not try to memcpy anything into a NULL pointer. */ - if ((cpumaps == NULL && maplen != 0) - || (cpumaps && maplen <= 0)) { + if (!cpumaps ? maplen != 0 + : (maplen <= 0 || INT_MULTIPLY_OVERFLOW(maxinfo, maplen))) { virLibDomainError(VIR_ERR_INVALID_ARG, __FUNCTION__); goto error; } Index: libvirt-0.8.8/src/remote/remote_driver.c =================================================================== --- libvirt-0.8.8.orig/src/remote/remote_driver.c +++ libvirt-0.8.8/src/remote/remote_driver.c @@ -83,6 +83,7 @@ #include "event.h" #include "ignore-value.h" #include "files.h" +#include "intprops-supp.h" #define VIR_FROM_THIS VIR_FROM_REMOTE @@ -2850,7 +2851,8 @@ remoteDomainGetVcpus (virDomainPtr domai maxinfo, REMOTE_VCPUINFO_MAX); goto done; } - if (maxinfo * maplen > REMOTE_CPUMAPS_MAX) { + if (INT_MULTIPLY_OVERFLOW(maxinfo, maplen) || + maxinfo * maplen > REMOTE_CPUMAPS_MAX) { remoteError(VIR_ERR_RPC, _("vCPU map buffer length exceeds maximum: %d > %d"), maxinfo * maplen, REMOTE_CPUMAPS_MAX);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor