[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH 1/2] xenstore: sanity check incoming message body lengths

Matthew Daley writes ("[PATCH 1/2] xenstore: sanity check incoming message body 
> This is for the client-side receiving messages from xenstored, so there
> is no security impact, unlike XSA-72.
> +     /* Sanity check message body length. */
> +     if (msg->hdr.len > XENSTORE_PAYLOAD_MAX) {
> +             saved_errno = E2BIG;
> +             goto error_freemsg;
> +     }

If this situation should arise, your proposal would discard the
headers of the bogus message and read the start of what would be the
over-long payload as the next header.

Unfortunately, it looks like the existing code already does exactly
this if it experiences a malloc failure !

It would be best to either kill the connection dead, or perhaps to
skip the overlong data.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.