[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 086/156] curl: check data size before memcpy to loc
From: |
Michael Roth |
Subject: |
[Qemu-stable] [PATCH 086/156] curl: check data size before memcpy to local buffer. (CVE-2014-0144) |
Date: |
Tue, 8 Jul 2014 12:17:57 -0500 |
From: Fam Zheng <address@hidden>
curl_read_cb is callback function for libcurl when data arrives. The
data size passed in here is not guaranteed to be within the range of
request we submitted, so we may overflow the guest IO buffer. Check the
real size we have before memcpy to buffer to avoid overflow.
Signed-off-by: Fam Zheng <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 6d4b9e55fc625514a38d27cff4b9933f617fa7dc)
Signed-off-by: Michael Roth <address@hidden>
---
block/curl.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/block/curl.c b/block/curl.c
index 1c04dcc..47cf70a 100644
--- a/block/curl.c
+++ b/block/curl.c
@@ -157,6 +157,11 @@ static size_t curl_read_cb(void *ptr, size_t size, size_t
nmemb, void *opaque)
if (!s || !s->orig_buf)
goto read_end;
+ if (s->buf_off >= s->buf_len) {
+ /* buffer full, read nothing */
+ return 0;
+ }
+ realsize = MIN(realsize, s->buf_len - s->buf_off);
memcpy(s->orig_buf + s->buf_off, ptr, realsize);
s->buf_off += realsize;
--
1.9.1
- [Qemu-stable] [PATCH 073/156] block/cloop: refuse images with huge offsets arrays (CVE-2014-0144), (continued)
- [Qemu-stable] [PATCH 073/156] block/cloop: refuse images with huge offsets arrays (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 072/156] block/cloop: prevent offsets_size integer overflow (CVE-2014-0143), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 074/156] block/cloop: refuse images with bogus offsets (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 075/156] block/cloop: fix offsets[] size off-by-one, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 079/156] bochs: Check catalog_size header field (CVE-2014-0143), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 076/156] qemu-iotests: Support for bochs format, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 077/156] bochs: Unify header structs and make them QEMU_PACKED, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 052/156] zaurus: fix buffer overrun on invalid state load, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 084/156] vdi: add bounds checks for blocks_in_image and disk_size header fields (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 085/156] vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 086/156] curl: check data size before memcpy to local buffer. (CVE-2014-0144),
Michael Roth <=
- [Qemu-stable] [PATCH 089/156] qcow2: Check refcount table size (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 087/156] qcow2: Check header_length (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 088/156] qcow2: Check backing_file_offset (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 094/156] qcow2: fix offset overflow in qcow2_alloc_clusters_at(), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 091/156] qcow2: Validate snapshot table offset/size (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 093/156] qcow2: Fix backing file name length check, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 097/156] qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 098/156] qcow2: Check new refcount table size on growth, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 099/156] qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 107/156] dmg: use uint64_t consistently for sectors and lengths, Michael Roth, 2014/07/08