xenstore: sanity check incoming message body lengths

This is for the client-side receiving messages from xenstored, so there
is no security impact, unlike XSA-72.

Coverity-ID: 1055449
Coverity-ID: 1056028
Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

diff --git a/tools/xenstore/xs.c b/tools/xenstore/xs.c
index f1f1b9dc13509c2e5015927a291949b25fd442e9..a636498f2e2261738fc5290f1761ea629b0853a2 100644 (file)
--- a/tools/xenstore/xs.c
+++ b/tools/xenstore/xs.c
@@ -1146,6 +1146,12 @@ static int read_message(struct xs_handle *h, int nonblocking)
                goto error_freemsg;
        }
 
+       /* Sanity check message body length. */
+       if (msg->hdr.len > XENSTORE_PAYLOAD_MAX) {
+               saved_errno = E2BIG;
+               goto error_freemsg;
+       }
+
        /* Allocate and read the message body. */
        body = msg->body = malloc(msg->hdr.len + 1);
        if (body == NULL)