[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH for-2.0 18/47] curl: check data size before memcpy t
From: |
Stefan Hajnoczi |
Subject: |
[Qemu-devel] [PATCH for-2.0 18/47] curl: check data size before memcpy to local buffer. (CVE-2014-0144) |
Date: |
Wed, 26 Mar 2014 13:05:40 +0100 |
From: Fam Zheng <address@hidden>
curl_read_cb is callback function for libcurl when data arrives. The
data size passed in here is not guaranteed to be within the range of
request we submitted, so we may overflow the guest IO buffer. Check the
real size we have before memcpy to buffer to avoid overflow.
Signed-off-by: Fam Zheng <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
---
block/curl.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/block/curl.c b/block/curl.c
index 3494c6d..1b9b1f6 100644
--- a/block/curl.c
+++ b/block/curl.c
@@ -157,6 +157,11 @@ static size_t curl_read_cb(void *ptr, size_t size, size_t
nmemb, void *opaque)
if (!s || !s->orig_buf)
goto read_end;
+ if (s->buf_off >= s->buf_len) {
+ /* buffer full, read nothing */
+ return 0;
+ }
+ realsize = MIN(realsize, s->buf_len - s->buf_off);
memcpy(s->orig_buf + s->buf_off, ptr, realsize);
s->buf_off += realsize;
--
1.8.5.3
- Re: [Qemu-devel] [PATCH for-2.0 13/47] bochs: Fix bitmap offset calculation, (continued)
- [Qemu-devel] [PATCH for-2.0 14/47] vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144), Stefan Hajnoczi, 2014/03/26
- [Qemu-devel] [PATCH for-2.0 15/47] vpc: Validate block size (CVE-2014-0142), Stefan Hajnoczi, 2014/03/26
- [Qemu-devel] [PATCH for-2.0 19/47] qcow2: Check header_length (CVE-2014-0144), Stefan Hajnoczi, 2014/03/26
- [Qemu-devel] [PATCH for-2.0 16/47] vdi: add bounds checks for blocks_in_image and disk_size header fields (CVE-2014-0144), Stefan Hajnoczi, 2014/03/26
- [Qemu-devel] [PATCH for-2.0 17/47] vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148), Stefan Hajnoczi, 2014/03/26
- [Qemu-devel] [PATCH for-2.0 18/47] curl: check data size before memcpy to local buffer. (CVE-2014-0144),
Stefan Hajnoczi <=
- [Qemu-devel] [PATCH for-2.0 20/47] qcow2: Check backing_file_offset (CVE-2014-0144), Stefan Hajnoczi, 2014/03/26
- [Qemu-devel] [PATCH for-2.0 22/47] qcow2: Validate refcount table offset, Stefan Hajnoczi, 2014/03/26
- [Qemu-devel] [PATCH for-2.0 21/47] qcow2: Check refcount table size (CVE-2014-0144), Stefan Hajnoczi, 2014/03/26
- [Qemu-devel] [PATCH for-2.0 23/47] qcow2: Validate snapshot table offset/size (CVE-2014-0144), Stefan Hajnoczi, 2014/03/26
- [Qemu-devel] [PATCH for-2.0 25/47] qcow2: Fix backing file name length check, Stefan Hajnoczi, 2014/03/26