libxenguest: Add missing range-check on count field read from a domain

author kfraser@localhost.localdomain <kfraser@localhost.localdomain>

Thu, 21 Jun 2007 08:47:39 +0000 (09:47 +0100)

committer kfraser@localhost.localdomain <kfraser@localhost.localdomain>

Thu, 21 Jun 2007 08:47:39 +0000 (09:47 +0100)
author kfraser@localhost.localdomain <kfraser@localhost.localdomain>
Thu, 21 Jun 2007 08:47:39 +0000 (09:47 +0100)
committer kfraser@localhost.localdomain <kfraser@localhost.localdomain>
Thu, 21 Jun 2007 08:47:39 +0000 (09:47 +0100)
diff --git a/tools/libxc/xc_domain_restore.c b/tools/libxc/xc_domain_restore.c

index aaabed6d4241c0bb694fe97f657696b331f184b1..3193ce191c7f22d484585a6c6a7cae89943564ce 100644 (file)
--- a/tools/libxc/xc_domain_restore.c
+++ b/tools/libxc/xc_domain_restore.c
@@ -903,13 +903,14 @@ int xc_domain_restore(int xc_handle, int io_fd, uint32_t dom,
  
      /* Get the list of PFNs that are not in the psuedo-phys map */
      {
-        unsigned int count;
+        unsigned int count = 0;
          unsigned long *pfntab;
          int nr_frees, rc;
  
-        if ( !read_exact(io_fd, &count, sizeof(count)) )
+        if ( !read_exact(io_fd, &count, sizeof(count)) ||
+             (count > (1U << 28)) ) /* up to 1TB of address space */
          {
-            ERROR("Error when reading pfn count");
+            ERROR("Error when reading pfn count (= %u)", count);
              goto out;
          }
author	kfraser@localhost.localdomain <kfraser@localhost.localdomain>
	Thu, 21 Jun 2007 08:47:39 +0000 (09:47 +0100)
committer	kfraser@localhost.localdomain <kfraser@localhost.localdomain>
	Thu, 21 Jun 2007 08:47:39 +0000 (09:47 +0100)