From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:59230) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WSuSJ-0004uX-Su for qemu-devel@nongnu.org; Wed, 26 Mar 2014 16:29:53 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WSuSD-0000mA-TK for qemu-devel@nongnu.org; Wed, 26 Mar 2014 16:29:47 -0400 Message-ID: <533338B0.5030403@redhat.com> Date: Wed, 26 Mar 2014 21:29:36 +0100 From: Max Reitz MIME-Version: 1.0 References: <1395835569-21193-1-git-send-email-stefanha@redhat.com> <1395835569-21193-19-git-send-email-stefanha@redhat.com> In-Reply-To: <1395835569-21193-19-git-send-email-stefanha@redhat.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH for-2.0 18/47] curl: check data size before memcpy to local buffer. (CVE-2014-0144) List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Stefan Hajnoczi , qemu-devel@nongnu.org Cc: Kevin Wolf , pmatouse@redhat.com, Fam Zheng , qemu-stable@nongnu.org On 26.03.2014 13:05, Stefan Hajnoczi wrote: > From: Fam Zheng > > curl_read_cb is callback function for libcurl when data arrives. The > data size passed in here is not guaranteed to be within the range of > request we submitted, so we may overflow the guest IO buffer. Check the > real size we have before memcpy to buffer to avoid overflow. > > Signed-off-by: Fam Zheng > Reviewed-by: Stefan Hajnoczi > Signed-off-by: Kevin Wolf > --- > block/curl.c | 5 +++++ > 1 file changed, 5 insertions(+) Reviewed-by: Max Reitz