]>
Commit | Line | Data |
---|---|---|
259e9b41 WB |
1 | From 8da4a3bf8fb076314f986a0d58cb94f5458e3659 Mon Sep 17 00:00:00 2001 |
2 | From: Wolfgang Bumiller <w.bumiller@proxmox.com> | |
3 | Date: Mon, 11 Jan 2016 08:21:25 +0100 | |
4 | Subject: [PATCH] hmp: fix sendkey out of bounds write (CVE-2015-8619) | |
5 | ||
6 | When processing 'sendkey' command, hmp_sendkey routine null | |
7 | terminates the 'keyname_buf' array. This results in an OOB | |
8 | write issue, if 'keyname_len' was to fall outside of | |
9 | 'keyname_buf' array. | |
10 | ||
11 | Now checking the length against the buffer size before using | |
12 | it. | |
13 | ||
14 | Reported-by: Ling Liu <liuling-it@360.cn> | |
15 | Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> | |
16 | --- | |
17 | hmp.c | 4 +++- | |
18 | 1 file changed, 3 insertions(+), 1 deletion(-) | |
19 | ||
20 | diff --git a/hmp.c b/hmp.c | |
21 | index c2b2c16..0c7a04c 100644 | |
22 | --- a/hmp.c | |
23 | +++ b/hmp.c | |
24 | @@ -1749,6 +1749,8 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict) | |
25 | while (1) { | |
26 | separator = strchr(keys, '-'); | |
27 | keyname_len = separator ? separator - keys : strlen(keys); | |
28 | + if (keyname_len >= sizeof(keyname_buf)) | |
29 | + goto err_out; | |
30 | pstrcpy(keyname_buf, sizeof(keyname_buf), keys); | |
31 | ||
32 | /* Be compatible with old interface, convert user inputted "<" */ | |
33 | @@ -1800,7 +1802,7 @@ out: | |
34 | return; | |
35 | ||
36 | err_out: | |
37 | - monitor_printf(mon, "invalid parameter: %s\n", keyname_buf); | |
38 | + monitor_printf(mon, "invalid parameter: %s\n", keys); | |
39 | goto out; | |
40 | } | |
41 | ||
42 | -- | |
43 | 2.1.4 | |
44 |