Commit 6d4b9e55 authored Mar 26, 2014 by Fam Zheng Committed by Stefan Hajnoczi Apr 01, 2014

curl: check data size before memcpy to local buffer. (CVE-2014-0144)



curl_read_cb is callback function for libcurl when data arrives. The
data size passed in here is not guaranteed to be within the range of
request we submitted, so we may overflow the guest IO buffer. Check the
real size we have before memcpy to buffer to avoid overflow.

Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

parent 1d7678de

block/curl.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -157,6 +157,11 @@ static size_t curl_read_cb(void ptr, size_t size, size_t nmemb, void opaque)
		if (!s \|\| !s->orig_buf)
		goto read_end;

		if (s->buf_off >= s->buf_len) {
		/* buffer full, read nothing */
		return 0;
		}
		realsize = MIN(realsize, s->buf_len - s->buf_off);
		memcpy(s->orig_buf + s->buf_off, ptr, realsize);
		s->buf_off += realsize;