diff options
Diffstat (limited to 'recipes-support/spice/files/CVE-2017-7506-2.patch')
-rw-r--r-- | recipes-support/spice/files/CVE-2017-7506-2.patch | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/recipes-support/spice/files/CVE-2017-7506-2.patch b/recipes-support/spice/files/CVE-2017-7506-2.patch new file mode 100644 index 0000000..a517b08 --- /dev/null +++ b/recipes-support/spice/files/CVE-2017-7506-2.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | From 6934f036240753a14514a71ede8bb44af2043f24 Mon Sep 17 00:00:00 2001 | ||
2 | From: Frediano Ziglio <fziglio@redhat.com> | ||
3 | Date: Mon, 15 May 2017 15:57:28 +0100 | ||
4 | Subject: [PATCH 2/3] reds: Avoid integer overflows handling monitor | ||
5 | configuration | ||
6 | |||
7 | Avoid VDAgentMessage::size integer overflows. | ||
8 | |||
9 | Signed-off-by: Frediano Ziglio <fziglio@redhat.com> | ||
10 | |||
11 | Upstream-Status: Backport | ||
12 | [https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=ec6229c79abe05d731953df5f7e9a05ec9f6df79] | ||
13 | |||
14 | CVE: CVE-2017-7506 | ||
15 | |||
16 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
17 | --- | ||
18 | server/reds.c | 3 +++ | ||
19 | 1 file changed, 3 insertions(+) | ||
20 | |||
21 | diff --git a/server/reds.c b/server/reds.c | ||
22 | index 701d5d8..62b1164 100644 | ||
23 | --- a/server/reds.c | ||
24 | +++ b/server/reds.c | ||
25 | @@ -1117,6 +1117,9 @@ static void reds_on_main_agent_monitors_config( | ||
26 | spice_debug("not enough data yet. %d\n", cmc->buffer_size); | ||
27 | return; | ||
28 | } | ||
29 | + if (msg_header->size < sizeof(VDAgentMonitorsConfig)) { | ||
30 | + goto overflow; | ||
31 | + } | ||
32 | monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header)); | ||
33 | spice_debug("%s: %d\n", __func__, monitors_config->num_of_monitors); | ||
34 | red_dispatcher_client_monitors_config(monitors_config); | ||
35 | -- | ||
36 | 2.7.4 | ||
37 | |||