From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andrew Cooper Subject: Re: [PATCH 1/2] xenstore: sanity check incoming message body lengths Date: Sun, 1 Dec 2013 11:44:10 +0000 Message-ID: <529B210A.9080005@citrix.com> References: <1385770805-1929-1-git-send-email-mattd@bugfuzz.com> <1385770805-1929-2-git-send-email-mattd@bugfuzz.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1385770805-1929-2-git-send-email-mattd@bugfuzz.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Matthew Daley , xen-devel@lists.xen.org Cc: Ian Jackson , Ian Campbell , Stefano Stabellini List-Id: xen-devel@lists.xenproject.org On 30/11/2013 00:20, Matthew Daley wrote: > This is for the client-side receiving messages from xenstored, so there > is no security impact, unlike XSA-72. > > Coverity-ID: 1055449 > Coverity-ID: 1056028 > Signed-off-by: Matthew Daley Reviewed-by: Andrew Cooper > --- > tools/xenstore/xs.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/tools/xenstore/xs.c b/tools/xenstore/xs.c > index 261b841..184886f 100644 > --- a/tools/xenstore/xs.c > +++ b/tools/xenstore/xs.c > @@ -1145,6 +1145,12 @@ static int read_message(struct xs_handle *h, int nonblocking) > goto error_freemsg; > } > > + /* Sanity check message body length. */ > + if (msg->hdr.len > XENSTORE_PAYLOAD_MAX) { > + saved_errno = E2BIG; > + goto error_freemsg; > + } > + > /* Allocate and read the message body. */ > body = msg->body = malloc(msg->hdr.len + 1); > if (body == NULL)