From 96da0a4819bd72dace93aa1fde3cd3152fed018e Mon Sep 17 00:00:00 2001
From: Alon Levy <alevy@redhat.com>
Date: Tue, 7 Dec 2010 12:56:30 +0200
Subject: server/inputs: return NULL on alloc_buf request for too large message

---
 server/inputs_channel.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/server/inputs_channel.c b/server/inputs_channel.c
index de62bfe5..e53a634b 100644
--- a/server/inputs_channel.c
+++ b/server/inputs_channel.c
@@ -157,6 +157,10 @@ static uint8_t *inputs_channel_alloc_msg_rcv_buf(RedChannel *channel, SpiceDataH
 {
     InputsChannel *inputs_channel = SPICE_CONTAINEROF(channel, InputsChannel, base);
 
+    if (msg_header->size > RECEIVE_BUF_SIZE) {
+        red_printf("error: too large incoming message");
+        return NULL;
+    }
     return inputs_channel->recv_buf;
 }
 
-- 
cgit