From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50100) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WSmbb-00018x-91 for qemu-devel@nongnu.org; Wed, 26 Mar 2014 08:06:57 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WSmbU-00040Z-Q8 for qemu-devel@nongnu.org; Wed, 26 Mar 2014 08:06:51 -0400 From: Stefan Hajnoczi Date: Wed, 26 Mar 2014 13:05:40 +0100 Message-Id: <1395835569-21193-19-git-send-email-stefanha@redhat.com> In-Reply-To: <1395835569-21193-1-git-send-email-stefanha@redhat.com> References: <1395835569-21193-1-git-send-email-stefanha@redhat.com> Subject: [Qemu-devel] [PATCH for-2.0 18/47] curl: check data size before memcpy to local buffer. (CVE-2014-0144) List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: Kevin Wolf , Fam Zheng , pmatouse@redhat.com, qemu-stable@nongnu.org From: Fam Zheng curl_read_cb is callback function for libcurl when data arrives. The data size passed in here is not guaranteed to be within the range of request we submitted, so we may overflow the guest IO buffer. Check the real size we have before memcpy to buffer to avoid overflow. Signed-off-by: Fam Zheng Reviewed-by: Stefan Hajnoczi Signed-off-by: Kevin Wolf --- block/curl.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/block/curl.c b/block/curl.c index 3494c6d..1b9b1f6 100644 --- a/block/curl.c +++ b/block/curl.c @@ -157,6 +157,11 @@ static size_t curl_read_cb(void *ptr, size_t size, size_t nmemb, void *opaque) if (!s || !s->orig_buf) goto read_end; + if (s->buf_off >= s->buf_len) { + /* buffer full, read nothing */ + return 0; + } + realsize = MIN(realsize, s->buf_len - s->buf_off); memcpy(s->orig_buf + s->buf_off, ptr, realsize); s->buf_off += realsize; -- 1.8.5.3