From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:54325)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ppandit@redhat.com>) id 1Zm4KA-0005Kk-4m
	for qemu-devel@nongnu.org; Tue, 13 Oct 2015 14:29:22 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ppandit@redhat.com>) id 1Zm4K5-0001vH-72
	for qemu-devel@nongnu.org; Tue, 13 Oct 2015 14:29:22 -0400
Received: from mx1.redhat.com ([209.132.183.28]:57963)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ppandit@redhat.com>) id 1Zm4K5-0001vB-2b
	for qemu-devel@nongnu.org; Tue, 13 Oct 2015 14:29:17 -0400
Date: Tue, 13 Oct 2015 23:59:10 +0530 (IST)
From: P J P <ppandit@redhat.com>
In-Reply-To: <alpine.LFD.2.20.1510130051540.19063@wniryva>
Message-ID: <alpine.LFD.2.20.1510132354180.5554@wniryva>
References: <alpine.LFD.2.20.1510130051540.19063@wniryva>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Subject: Re: [Qemu-devel] [PATCH] Limit memory r/w length to buffer size
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: Gerben van der Lubbe <spoofedexistence@gmail.com>

  Hello,

+-- On Tue, 13 Oct 2015, P J P wrote --+
| Below is a proposed patch to fix this issue.
| 
| ===
| > From 88edb457a66f8ff96209a1603914171eade0658b Mon Sep 17 00:00:00 2001
| From: Prasad J Pandit <pjp@fedoraproject.org>
| Date: Mon, 12 Oct 2015 22:56:41 +0530
| Subject: Limit memory r/w length to buffer size
| 
| GDB(1) stub communication protocol supports commands m/M to read
| and write 'len' bytes from/to the stub memory area.
| 
|    m addr,len        : read 'len' bytes from address 'addr'
|    M addr,len:<data> : write 'len' bytes of 'data' to 'addr'
| 
| Qemu stub uses automatic buffers of size 'MAX_PACKET_LENGTH=4096'
| to process these commands. Limit 'len' parameter value supplied
| by the host gdb(1) to the maximum buffer size to avoid any OOB
| buffer access.
| 
| Reported-by: Gerben van der Lubbe <spoofedexistence@gmail.com>
| Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
| ---
|  gdbstub.c | 2 ++
|  1 file changed, 2 insertions(+)

Could someone review it please?

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F