Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/app-emulation/spice/files/spice-0.13.3-reds-Avoid-buffer-overflows-handling-monitor-configu.patch
diff options
context:
space:
mode:
Diffstat (limited to 'app-emulation/spice/files/spice-0.13.3-reds-Avoid-buffer-overflows-handling-monitor-configu.patch')
-rw-r--r--app-emulation/spice/files/spice-0.13.3-reds-Avoid-buffer-overflows-handling-monitor-configu.patch47
1 files changed, 0 insertions, 47 deletions
diff --git a/app-emulation/spice/files/spice-0.13.3-reds-Avoid-buffer-overflows-handling-monitor-configu.patch b/app-emulation/spice/files/spice-0.13.3-reds-Avoid-buffer-overflows-handling-monitor-configu.patch
deleted file mode 100644
index 8792395977e9..000000000000
--- a/app-emulation/spice/files/spice-0.13.3-reds-Avoid-buffer-overflows-handling-monitor-configu.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-Matthias Maier <tamiko@gentoo.org>
-
- - Ported to 0.13.3
-
-
-From fbbcdad773e2791cfb988f4748faa41943551ca6 Mon Sep 17 00:00:00 2001
-From: Frediano Ziglio <fziglio@redhat.com>
-Date: Mon, 15 May 2017 15:57:28 +0100
-Subject: [PATCH 3/3] reds: Avoid buffer overflows handling monitor
- configuration
-
-It was also possible for a malicious client to set
-VDAgentMonitorsConfig::num_of_monitors to a number larger
-than the actual size of VDAgentMOnitorsConfig::monitors.
-This would lead to buffer overflows, which could allow the guest to
-read part of the host memory. This might cause write overflows in the
-host as well, but controlling the content of such buffers seems
-complicated.
-
-Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
----
-
-diff --git a/server/reds.c b/server/reds.c
-index ec89105..fd1457f 100644
---- a/server/reds.c
-+++ b/server/reds.c
-@@ -1084,6 +1084,7 @@ static void reds_on_main_agent_monitors_config(RedsState *reds,
- VDAgentMessage *msg_header;
- VDAgentMonitorsConfig *monitors_config;
- RedsClientMonitorsConfig *cmc = &reds->client_monitors_config;
-+ uint32_t max_monitors;
-
- // limit size of message sent by the client as this can cause a DoS through
- // memory exhaustion, or potentially some integer overflows
-@@ -1113,6 +1114,12 @@ static void reds_on_main_agent_monitors_config(RedsState *reds,
- goto overflow;
- }
- monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header));
-+ // limit the monitor number to avoid buffer overflows
-+ max_monitors = (msg_header->size - sizeof(VDAgentMonitorsConfig)) /
-+ sizeof(VDAgentMonConfig);
-+ if (monitors_config->num_of_monitors > max_monitors) {
-+ goto overflow;
-+ }
- spice_debug("%s: %d", __func__, monitors_config->num_of_monitors);
- reds_client_monitors_config(reds, monitors_config);
- reds_client_monitors_config_cleanup(reds);