| Summary: | client segfaults if server link message header size is set to 0. | ||
|---|---|---|---|
| Product: | Spice | Reporter: | Yaniv Kaul <ykaul> |
| Component: | spice-gtk | Assignee: | Spice Bug List <spice-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | medium | ||
| Version: | unspecified | ||
| Hardware: | Other | ||
| OS: | All | ||
| Whiteboard: | |||
| i915 platform: | i915 features: | ||
| Attachments: |
malformed server header message
malformed server (python script). Use with the red.bin message. do not segfault if link message header size is set to 0 |
||
Created attachment 52514 [details]
malformed server header message
Created attachment 52515 [details]
malformed server (python script). Use with the red.bin message.
Created attachment 52519 [details] [review] do not segfault if link message header size is set to 0 |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.
In gtk/spice-channel.c, line 978: c->peer_msg = spice_malloc(c->peer_hdr.size); However, peer_hdr.size is taken directly from the network, without sanity check. and c->peer_msg allocation success is not verified. Therefore, sending a malformed link header would crash the client. stack: Program received signal SIGSEGV, Segmentation fault. 0x00007f3625d79f6e in spice_channel_recv_link_msg (channel=0x1856f30) at spice-channel.c:1436 1436 switch (c->peer_msg->error) { (gdb) bt #0 0x00007f3625d79f6e in spice_channel_recv_link_msg (channel=0x1856f30) at spice-channel.c:1436 #1 spice_channel_iterate_read (channel=0x1856f30) at spice-channel.c:1809 #2 0x00007f3625d783e4 in spice_channel_iterate (channel=0x1856f30) at spice-channel.c:1859 #3 spice_channel_coroutine (data=0x1856f30) at spice-channel.c:2007