On Mon, Oct 05, 2020 at 11:50:54AM -0700, [email protected] wrote: > +void mpqemu_msg_recv(MPQemuMsg *msg, QIOChannel *ioc, Error **errp) > +{ > + Error *local_err = NULL; > + int *fds = NULL; > + size_t nfds = 0; > + ssize_t len; > + > + len = mpqemu_read(ioc, (void *)msg, MPQEMU_MSG_HDR_SIZE, &fds, &nfds, > + &local_err); > + if (!local_err) { > + if (len == -EIO) { > + error_setg(&local_err, "Connection closed."); > + goto fail; > + } > + if (len < 0) { > + error_setg(&local_err, "Message length is less than 0"); > + goto fail; > + } > + if (len != MPQEMU_MSG_HDR_SIZE) { > + error_setg(&local_err, "Message header corrupted"); > + goto fail; > + } > + } else { > + goto fail; > + } > + > + if (msg->size > sizeof(msg->data)) { > + error_setg(&local_err, "Invalid size for message"); > + goto fail; > + } > + > + if (mpqemu_read(ioc, (void *)&msg->data, msg->size, NULL, NULL, > + &local_err) < 0) { > + goto fail; > + } > + > + msg->num_fds = nfds; > + if (nfds) { > + memcpy(msg->fds, fds, nfds * sizeof(int));
msg->fds buffer overflow if nfds > G_N_ELEMENTS(msg->fds). > + } > + > +fail: The fd[] array is leaked. The file descriptors themselves are leaked on error, too.
signature.asc
Description: PGP signature
