aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFam Zheng <famz@redhat.com>2014-03-26 13:05:40 +0100
committerStefan Hajnoczi <stefanha@redhat.com>2014-04-01 14:19:09 +0200
commit6d4b9e55fc625514a38d27cff4b9933f617fa7dc (patch)
treee7f1b23bca541fb54755d26e8477dad3e2c78dce
parent1d7678dec4761acdc43439da6ceda41a703ba1a6 (diff)
downloadqemu-6d4b9e55fc625514a38d27cff4b9933f617fa7dc.zip
qemu-6d4b9e55fc625514a38d27cff4b9933f617fa7dc.tar.gz
qemu-6d4b9e55fc625514a38d27cff4b9933f617fa7dc.tar.bz2
curl: check data size before memcpy to local buffer. (CVE-2014-0144)
curl_read_cb is callback function for libcurl when data arrives. The data size passed in here is not guaranteed to be within the range of request we submitted, so we may overflow the guest IO buffer. Check the real size we have before memcpy to buffer to avoid overflow. Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-rw-r--r--block/curl.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/block/curl.c b/block/curl.c
index 3494c6d..1b9b1f6 100644
--- a/block/curl.c
+++ b/block/curl.c
@@ -157,6 +157,11 @@ static size_t curl_read_cb(void *ptr, size_t size, size_t nmemb, void *opaque)
if (!s || !s->orig_buf)
goto read_end;
+ if (s->buf_off >= s->buf_len) {
+ /* buffer full, read nothing */
+ return 0;
+ }
+ realsize = MIN(realsize, s->buf_len - s->buf_off);
memcpy(s->orig_buf + s->buf_off, ptr, realsize);
s->buf_off += realsize;