diff options
| author | Yonit Halperin <yhalperi@redhat.com> | 2012-11-16 15:11:54 -0500 |
|---|---|---|
| committer | Yonit Halperin <yhalperi@redhat.com> | 2012-11-26 11:08:11 -0500 |
| commit | 4c1a2ad3f1b9d9ebdd578c5eaccf58ca845362fe (patch) | |
| tree | 411ad9a29901d32f48f50077b667002293aa8ad2 | |
| parent | 16b38ec84ecc47880282aacc99eeaa6becc3eac7 (diff) | |
| download | spice-4c1a2ad3f1b9d9ebdd578c5eaccf58ca845362fe.tar.gz spice-4c1a2ad3f1b9d9ebdd578c5eaccf58ca845362fe.tar.xz spice-4c1a2ad3f1b9d9ebdd578c5eaccf58ca845362fe.zip | |
red_worker.c: fix memory corruption when data from client is bigger than 1024 bytes
Previously, there was no check for the size of the message received from
the client, and all messages were read into a buffer of size 1024.
However, migration data can be bigger than 1024. In such cases, memory
corruption occurred.
| -rw-r--r-- | server/red_worker.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/server/red_worker.c b/server/red_worker.c index d27aa7ec..54cad538 100644 --- a/server/red_worker.c +++ b/server/red_worker.c @@ -1597,12 +1597,24 @@ static uint8_t *common_alloc_recv_buf(RedChannelClient *rcc, uint16_t type, uint { CommonChannel *common = SPICE_CONTAINEROF(rcc->channel, CommonChannel, base); + /* SPICE_MSGC_MIGRATE_DATA is the only client message whose size is dynamic */ + if (type == SPICE_MSGC_MIGRATE_DATA) { + return spice_malloc(size); + } + + if (size > RECIVE_BUF_SIZE) { + spice_critical("unexpected message size %u (max is %d)", size, RECIVE_BUF_SIZE); + return NULL; + } return common->recv_buf; } static void common_release_recv_buf(RedChannelClient *rcc, uint16_t type, uint32_t size, uint8_t* msg) { + if (type == SPICE_MSGC_MIGRATE_DATA) { + free(msg); + } } #define CLIENT_PIXMAPS_CACHE |