pxcloud/spice
5
0
Fork 0
mirror of https://gitlab.uni-freiburg.de/opensourcevdi/spice synced 2025-12-26 22:48:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Prevent integer overflows in capability checks

Browse Source 
The limits for capabilities are specified using 32 bit unsigned integers.
This could cause possible integer overflows causing buffer overflows.
For instance the sum of num_common_caps and num_caps can be 0 avoiding
additional checks.
As the link message is now capped to 4096 and the capabilities are
contained in the link message limit the capabilities to 1024
(capabilities are expressed in number of uint32_t items).

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
This commit is contained in:
Frediano Ziglio 2016-12-13 14:40:10 +00:00
parent ec124b982a
commit e16eee1d8b
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
server/reds.c
View File

@ -2186,6 +2186,14 @@ static void reds_handle_read_link_done(void *opaque)
link_mess->num_channel_caps = GUINT32_FROM_LE(link_mess->num_channel_caps);
link_mess->num_common_caps = GUINT32_FROM_LE(link_mess->num_common_caps);
/* Prevent DoS. Currently we defined only 13 capabilities,
* I expect 1024 to be valid for quite a lot time */
if (link_mess->num_channel_caps > 1024 || link_mess->num_common_caps > 1024) {
reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA);
reds_link_free(link);
return;
}
num_caps = link_mess->num_common_caps + link_mess->num_channel_caps;
caps = (uint32_t *)((uint8_t *)link_mess + link_mess->caps_offset);