Patchwork [for-2.0,18/47] curl: check data size before memcpy to local buffer. (CVE-2014-0144)

login
register
mail settings
Submitter Stefan Hajnoczi
Date March 26, 2014, 12:05 p.m.
Message ID <1395835569-21193-19-git-send-email-stefanha@redhat.com>
Download mbox | patch
Permalink /patch/333867/
State New
Headers show

Comments

Stefan Hajnoczi - March 26, 2014, 12:05 p.m.
From: Fam Zheng <famz@redhat.com>

curl_read_cb is callback function for libcurl when data arrives. The
data size passed in here is not guaranteed to be within the range of
request we submitted, so we may overflow the guest IO buffer. Check the
real size we have before memcpy to buffer to avoid overflow.

Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
 block/curl.c | 5 +++++
 1 file changed, 5 insertions(+)
Max Reitz - March 26, 2014, 8:29 p.m.
On 26.03.2014 13:05, Stefan Hajnoczi wrote:
> From: Fam Zheng <famz@redhat.com>
>
> curl_read_cb is callback function for libcurl when data arrives. The
> data size passed in here is not guaranteed to be within the range of
> request we submitted, so we may overflow the guest IO buffer. Check the
> real size we have before memcpy to buffer to avoid overflow.
>
> Signed-off-by: Fam Zheng <famz@redhat.com>
> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
> ---
>   block/curl.c | 5 +++++
>   1 file changed, 5 insertions(+)

Reviewed-by: Max Reitz <mreitz@redhat.com>

Patch

diff --git a/block/curl.c b/block/curl.c
index 3494c6d..1b9b1f6 100644
--- a/block/curl.c
+++ b/block/curl.c
@@ -157,6 +157,11 @@  static size_t curl_read_cb(void *ptr, size_t size, size_t nmemb, void *opaque)
     if (!s || !s->orig_buf)
         goto read_end;
 
+    if (s->buf_off >= s->buf_len) {
+        /* buffer full, read nothing */
+        return 0;
+    }
+    realsize = MIN(realsize, s->buf_len - s->buf_off);
     memcpy(s->orig_buf + s->buf_off, ptr, realsize);
     s->buf_off += realsize;