channel-main: Handle not terminated host_data and cert_subject_data fields

host_data and cert_subject_data fields from SPICE messages could be not NUL terminated so using g_strdup can lead to some read overflow. This bug was discovered by Uri Lublin. Signed-off-by: Frediano Ziglio <freddy77@gmail.com> Acked-by: Uri Lublin <uril@redhat.com>

channel-main: Handle not terminated host_data and cert_subject_data fields
host_data and cert_subject_data fields from SPICE messages could be not NUL terminated so using g_strdup can lead to some read overflow. This bug was discovered by Uri Lublin. Signed-off-by: Frediano Ziglio <freddy77@gmail.com> Acked-by: Uri Lublin <uril@redhat.com>
9b98e01c · Frediano Ziglio · 1f2a7a07 · 9b98e01c
Commit 9b98e01c authored Sep 16, 2020 by Frediano Ziglio
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 2 deletions

src/channel-main.c src/channel-main.c +3 -2

No files found.
--- a/src/channel-main.c
+++ b/src/channel-main.c
@@ -2460,10 +2460,11 @@ static void main_migrate_connect(SpiceChannel *channel,
    mig->src_channel = channel;
    mig->info = *dst_info;
    if (dst_info->host_data) {
-        mig->info.host_data = (void *) g_strdup((char*) dst_info->host_data);
+        mig->info.host_data = (void *) g_strndup((char*) dst_info->host_data, dst_info->host_size);
    }
    if (dst_info->cert_subject_data) {
-        mig->info.cert_subject_data = (void *) g_strdup((char*) dst_info->cert_subject_data);
+        mig->info.cert_subject_data = (void *) g_strndup((char*) dst_info->cert_subject_data,
+                                                         dst_info->cert_subject_size);
    }
    mig->from = coroutine_self();
    mig->do_seamless = do_seamless;