Commit 9b98e01c authored by Frediano Ziglio's avatar Frediano Ziglio
Browse files

channel-main: Handle not terminated host_data and cert_subject_data fields



host_data and cert_subject_data fields from SPICE messages could be
not NUL terminated so using g_strdup can lead to some read overflow.

This bug was discovered by Uri Lublin.
Signed-off-by: Frediano Ziglio's avatarFrediano Ziglio <freddy77@gmail.com>
Acked-by: Uri Lublin's avatarUri Lublin <uril@redhat.com>
parent 1f2a7a07
Pipeline #202398 passed with stage
in 4 minutes and 30 seconds
......@@ -2460,10 +2460,11 @@ static void main_migrate_connect(SpiceChannel *channel,
mig->src_channel = channel;
mig->info = *dst_info;
if (dst_info->host_data) {
mig->info.host_data = (void *) g_strdup((char*) dst_info->host_data);
mig->info.host_data = (void *) g_strndup((char*) dst_info->host_data, dst_info->host_size);
}
if (dst_info->cert_subject_data) {
mig->info.cert_subject_data = (void *) g_strdup((char*) dst_info->cert_subject_data);
mig->info.cert_subject_data = (void *) g_strndup((char*) dst_info->cert_subject_data,
dst_info->cert_subject_size);
}
mig->from = coroutine_self();
mig->do_seamless = do_seamless;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment