summaryrefslogtreecommitdiffstats
path: root/package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch
diff options
context:
space:
mode:
Diffstat (limited to 'package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch')
-rw-r--r--package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch43
1 files changed, 43 insertions, 0 deletions
diff --git a/package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch b/package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch
new file mode 100644
index 0000000000..5bf9b89d17
--- /dev/null
+++ b/package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch
@@ -0,0 +1,43 @@
+From f66dc643635518e53dfbe5262f814a64eec54e4a Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <fziglio@redhat.com>
+Date: Tue, 13 Dec 2016 14:40:10 +0000
+Subject: [PATCH] Prevent integer overflows in capability checks
+
+The limits for capabilities are specified using 32 bit unsigned integers.
+This could cause possible integer overflows causing buffer overflows.
+For instance the sum of num_common_caps and num_caps can be 0 avoiding
+additional checks.
+As the link message is now capped to 4096 and the capabilities are
+contained in the link message limit the capabilities to 1024
+(capabilities are expressed in number of uint32_t items).
+
+[Peter: fixes CVE-2016-9578]
+Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
+Acked-by: Christophe Fergeau <cfergeau@redhat.com>
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ server/reds.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/server/reds.c b/server/reds.c
+index 86a33d53..91504544 100644
+--- a/server/reds.c
++++ b/server/reds.c
+@@ -2110,6 +2110,14 @@ static void reds_handle_read_link_done(void *opaque)
+ link_mess->num_channel_caps = GUINT32_FROM_LE(link_mess->num_channel_caps);
+ link_mess->num_common_caps = GUINT32_FROM_LE(link_mess->num_common_caps);
+
++ /* Prevent DoS. Currently we defined only 13 capabilities,
++ * I expect 1024 to be valid for quite a lot time */
++ if (link_mess->num_channel_caps > 1024 || link_mess->num_common_caps > 1024) {
++ reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA);
++ reds_link_free(link);
++ return;
++ }
++
+ num_caps = link_mess->num_common_caps + link_mess->num_channel_caps;
+ caps = (uint32_t *)((uint8_t *)link_mess + link_mess->caps_offset);
+
+--
+2.11.0
+
OpenPOWER on IntegriCloud