From 4c1a2ad3f1b9d9ebdd578c5eaccf58ca845362fe Mon Sep 17 00:00:00 2001
From: Yonit Halperin <yhalperi@redhat.com>
Date: Fri, 16 Nov 2012 15:11:54 -0500
Subject: red_worker.c: fix memory corruption when data from client is bigger
 than 1024 bytes

Previously, there was no check for the size of the message received from
the client, and all messages were read into a buffer of size 1024.
However, migration data can be bigger than 1024. In such cases, memory
corruption occurred.
---
 server/red_worker.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'server')

diff --git a/server/red_worker.c b/server/red_worker.c
index d27aa7ec..54cad538 100644
--- a/server/red_worker.c
+++ b/server/red_worker.c
@@ -1597,12 +1597,24 @@ static uint8_t *common_alloc_recv_buf(RedChannelClient *rcc, uint16_t type, uint
 {
     CommonChannel *common = SPICE_CONTAINEROF(rcc->channel, CommonChannel, base);
 
+    /* SPICE_MSGC_MIGRATE_DATA is the only client message whose size is dynamic */
+    if (type == SPICE_MSGC_MIGRATE_DATA) {
+        return spice_malloc(size);
+    }
+
+    if (size > RECIVE_BUF_SIZE) {
+        spice_critical("unexpected message size %u (max is %d)", size, RECIVE_BUF_SIZE);
+        return NULL;
+    }
     return common->recv_buf;
 }
 
 static void common_release_recv_buf(RedChannelClient *rcc, uint16_t type, uint32_t size,
                                     uint8_t* msg)
 {
+    if (type == SPICE_MSGC_MIGRATE_DATA) {
+        free(msg);
+    }
 }
 
 #define CLIENT_PIXMAPS_CACHE
-- 
cgit