reds: Avoid integer overflows handling monitor configuration

Avoid VDAgentMessage::size integer overflows. Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
2025-12-26 22:48:19 +00:00 · 2017-05-15 15:57:28 +01:00 · 2017-05-15 15:57:28 +01:00 · 571cec91e7
commit 571cec91e7
parent 111ab38611
1 changed files with 3 additions and 0 deletions
--- a/server/reds.c
+++ b/server/reds.c
@ -1131,6 +1131,9 @@ static void reds_on_main_agent_monitors_config(RedsState *reds,
        spice_debug("not enough data yet. %zd", cmc->offset);
        return;
    }
+    if (msg_header->size < sizeof(VDAgentMonitorsConfig)) {
+        goto overflow;
+    }
    monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header));
    spice_debug("monitors_config->num_of_monitors: %d", monitors_config->num_of_monitors);
    reds_client_monitors_config(reds, monitors_config);