diff options
Diffstat (limited to 'pkgs/development/libraries/spice/0001-Adapting-the-following-patch-from-http-pkgs.fedorapr.patch')
-rw-r--r-- | pkgs/development/libraries/spice/0001-Adapting-the-following-patch-from-http-pkgs.fedorapr.patch | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/pkgs/development/libraries/spice/0001-Adapting-the-following-patch-from-http-pkgs.fedorapr.patch b/pkgs/development/libraries/spice/0001-Adapting-the-following-patch-from-http-pkgs.fedorapr.patch new file mode 100644 index 000000000000..8098f568e21a --- /dev/null +++ b/pkgs/development/libraries/spice/0001-Adapting-the-following-patch-from-http-pkgs.fedorapr.patch @@ -0,0 +1,56 @@ +From 75e8685740199537bfefcbd9996ec3ff9f6342e6 Mon Sep 17 00:00:00 2001 +From: Graham Christensen <graham@grahamc.com> +Date: Wed, 8 Feb 2017 21:58:43 -0500 +Subject: [PATCH] Adapting the following patch, from + http://pkgs.fedoraproject.org/cgit/rpms/spice.git/plain/0003-main-channel-Prevent-overflow-reading-messages-from-.patch?id=d919d639ae5f83a9735a04d843eed675f9357c0d + +> From: Frediano Ziglio <fziglio@redhat.com> +> Date: Tue, 29 Nov 2016 16:46:56 +0000 +> Subject: [spice-server 3/3] main-channel: Prevent overflow reading messages +> from client +> +> Caller is supposed the function return a buffer able to store +> size bytes. +> +> Signed-off-by: Frediano Ziglio <fziglio@redhat.com> +> Acked-by: Christophe Fergeau <cfergeau@redhat.com> +> --- +> server/main-channel.c | 3 +++ +> 1 file changed, 3 insertions(+) +> +> diff --git a/server/main-channel.c b/server/main-channel.c +> index 24dd448..1124506 100644 +> --- a/server/main-channel.c +> +++ b/server/main-channel.c +> @@ -258,6 +258,9 @@ static uint8_t *main_channel_alloc_msg_rcv_buf(RedChannelClient *rcc, +> +> if (type == SPICE_MSGC_MAIN_AGENT_DATA) { +> return reds_get_agent_data_buffer(red_channel_get_server(channel), mcc, size); +> + } else if (size > sizeof(main_chan->recv_buf)) { +> + /* message too large, caller will log a message and close the connection */ +> + return NULL; +> } else { +> return main_chan->recv_buf; +> } +> -- +> 2.9.3 +> --- + server/main_channel.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/server/main_channel.c b/server/main_channel.c +index 0ecc9df..1fc3915 100644 +--- a/server/main_channel.c ++++ b/server/main_channel.c +@@ -1026,6 +1026,9 @@ static uint8_t *main_channel_alloc_msg_rcv_buf(RedChannelClient *rcc, + + if (type == SPICE_MSGC_MAIN_AGENT_DATA) { + return reds_get_agent_data_buffer(mcc, size); ++ } else if (size > sizeof(main_chan->recv_buf)) { ++ /* message too large, caller will log a message and close the connection */ ++ return NULL; + } else { + return main_chan->recv_buf; + } +-- +2.10.0 |