| Submitter | Stefan Hajnoczi |
|---|---|
| Date | March 26, 2014, 12:05 p.m. |
| Message ID | <1395835569-21193-19-git-send-email-stefanha@redhat.com> |
| Download | mbox | patch |
| Permalink | /patch/333867/ |
| State | New |
| Headers | show |
Comments
On 26.03.2014 13:05, Stefan Hajnoczi wrote: > From: Fam Zheng <famz@redhat.com> > > curl_read_cb is callback function for libcurl when data arrives. The > data size passed in here is not guaranteed to be within the range of > request we submitted, so we may overflow the guest IO buffer. Check the > real size we have before memcpy to buffer to avoid overflow. > > Signed-off-by: Fam Zheng <famz@redhat.com> > Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> > Signed-off-by: Kevin Wolf <kwolf@redhat.com> > --- > block/curl.c | 5 +++++ > 1 file changed, 5 insertions(+) Reviewed-by: Max Reitz <mreitz@redhat.com>
Patch
diff --git a/block/curl.c b/block/curl.c index 3494c6d..1b9b1f6 100644 --- a/block/curl.c +++ b/block/curl.c @@ -157,6 +157,11 @@ static size_t curl_read_cb(void *ptr, size_t size, size_t nmemb, void *opaque) if (!s || !s->orig_buf) goto read_end; + if (s->buf_off >= s->buf_len) { + /* buffer full, read nothing */ + return 0; + } + realsize = MIN(realsize, s->buf_len - s->buf_off); memcpy(s->orig_buf + s->buf_off, ptr, realsize); s->buf_off += realsize;