[lxc-devel] [lxc/master] Avoid risk of "too far memory read"
Rachid-Koucha on Github
lxc-bot at linuxcontainers.org
Sat Jan 26 23:11:03 UTC 2019
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 589 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190126/eb6035ff/attachment.bin>
-------------- next part --------------
From 71fc9c046816b2bae564481741658defafc01b62 Mon Sep 17 00:00:00 2001
From: Rachid Koucha <47061324+Rachid-Koucha at users.noreply.github.com>
Date: Sun, 27 Jan 2019 00:10:39 +0100
Subject: [PATCH] Avoid risk of "too far memory read"
As we call "lxc_add_state_client(fd, handler, (lxc_state_t *)req->data)"
which supposes that the last parameter is a table of MAX_STATE
entries when calling memcpy():
memcpy(newclient->states, states, sizeof(newclient->states))
Signed-off-by: Rachid Koucha <rachid.koucha at gmail.com>
---
src/lxc/commands.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lxc/commands.c b/src/lxc/commands.c
index 392fdab2ca..5f2e25b6dc 100644
--- a/src/lxc/commands.c
+++ b/src/lxc/commands.c
@@ -896,7 +896,7 @@ static int lxc_cmd_add_state_client_callback(int fd, struct lxc_cmd_req *req,
if (req->datalen < 0)
goto reap_client_fd;
- if (req->datalen > (sizeof(lxc_state_t) * MAX_STATE))
+ if (req->datalen != (sizeof(lxc_state_t) * MAX_STATE))
goto reap_client_fd;
if (!req->data)
More information about the lxc-devel
mailing list