From 8da1ed9031341381c218b7e6eaab5b4f239a327b Mon Sep 17 00:00:00 2001
From: Matthew Daley <mattd@bugfuzz.com>
Date: Sat, 30 Nov 2013 13:20:04 +1300
Subject: [PATCH] xenstore: sanity check incoming message body lengths

This is for the client-side receiving messages from xenstored, so there
is no security impact, unlike XSA-72.

Coverity-ID: 1055449
Coverity-ID: 1056028
Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
---
 tools/xenstore/xs.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/tools/xenstore/xs.c b/tools/xenstore/xs.c
index f1f1b9dc13..a636498f2e 100644
--- a/tools/xenstore/xs.c
+++ b/tools/xenstore/xs.c
@@ -1146,6 +1146,12 @@ static int read_message(struct xs_handle *h, int nonblocking)
 		goto error_freemsg;
 	}
 
+	/* Sanity check message body length. */
+	if (msg->hdr.len > XENSTORE_PAYLOAD_MAX) {
+		saved_errno = E2BIG;
+		goto error_freemsg;
+	}
+
 	/* Allocate and read the message body. */
 	body = msg->body = malloc(msg->hdr.len + 1);
 	if (body == NULL)
-- 
2.30.2