41988 – client segfaults if server link message header size is set to 0.

Bug 41988 - client segfaults if server link message header size is set to 0.

Summary: client segfaults if server link message header size is set to 0.

Status:	RESOLVED FIXED

Alias:	None

Product:	Spice
Classification:	Unclassified
Component:	spice-gtk (show other bugs)
Version:	unspecified
Hardware:	Other All

Importance:	medium normal
Assignee:	Spice Bug List
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2011-10-19 01:51 UTC by Yaniv Kaul
Modified:	2011-10-19 03:11 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments
malformed server header message (27 bytes, application/octet-stream) 2011-10-19 01:52 UTC, Yaniv Kaul	Details
malformed server (python script). Use with the red.bin message. (883 bytes, text/x-python) 2011-10-19 01:53 UTC, Yaniv Kaul	Details
do not segfault if link message header size is set to 0 (882 bytes, patch) 2011-10-19 02:28 UTC, Marc-Andre Lureau	Details \| Splinter Review
View All

Description Yaniv Kaul 2011-10-19 01:51:59 UTC

In gtk/spice-channel.c, line 978:
c->peer_msg = spice_malloc(c->peer_hdr.size);

However, peer_hdr.size is taken directly from the network, without sanity check. and c->peer_msg allocation success is not verified. Therefore, sending a malformed link header would crash the client.

stack:
Program received signal SIGSEGV, Segmentation fault.
0x00007f3625d79f6e in spice_channel_recv_link_msg (channel=0x1856f30) at spice-channel.c:1436
1436	    switch (c->peer_msg->error) {
(gdb) bt
#0  0x00007f3625d79f6e in spice_channel_recv_link_msg (channel=0x1856f30) at spice-channel.c:1436
#1  spice_channel_iterate_read (channel=0x1856f30) at spice-channel.c:1809
#2  0x00007f3625d783e4 in spice_channel_iterate (channel=0x1856f30) at spice-channel.c:1859
#3  spice_channel_coroutine (data=0x1856f30) at spice-channel.c:2007

Comment 1 Yaniv Kaul 2011-10-19 01:52:33 UTC

Created attachment 52514 [details]
malformed server header message

Comment 2 Yaniv Kaul 2011-10-19 01:53:09 UTC

Created attachment 52515 [details]
malformed server (python script). Use with the red.bin message.

Comment 3 Marc-Andre Lureau 2011-10-19 02:28:21 UTC

Created attachment 52519 [details] [review]
do not segfault if link message header size is set to 0

Comment 4 Marc-Andre Lureau 2011-10-19 03:11:42 UTC

fixed upstream:

http://cgit.freedesktop.org/spice/spice-gtk/commit/?id=06caae141c9bf30cd5271daf6af9ea0280ba1d5b

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.