From 38c0ea3128cbc57db7885131a3965a0e67fbbc5a Mon Sep 17 00:00:00 2001 From: Vincent Penquerc'h Date: Sun, 29 Dec 2013 07:02:09 -0500 Subject: [PATCH] qopen-in-vm: fix read overflow That one would also send more data to the other VM that what we intended: the start of the env var data (which in similar code on my host includes the GPG agent socket path, XDG session cookie, and more. The other side expects a fixed size though, so pad with NULs. Interestingly, the original code was not vulnerable as it was callocing enough space. --- qubes-rpc/qopen-in-vm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/qubes-rpc/qopen-in-vm.c b/qubes-rpc/qopen-in-vm.c index 039716a..bffdd98 100644 --- a/qubes-rpc/qopen-in-vm.c +++ b/qubes-rpc/qopen-in-vm.c @@ -15,6 +15,7 @@ void send_file(char *fname) { char *base; + char sendbuf[DVM_FILENAME_SIZE]; int fd = open(fname, O_RDONLY); if (fd < 0) gui_fatal("open %s", fname); @@ -25,7 +26,8 @@ void send_file(char *fname) base++; if (strlen(base) >= DVM_FILENAME_SIZE) base += strlen(base) - DVM_FILENAME_SIZE + 1; - if (!write_all(1, base, DVM_FILENAME_SIZE)) + strncpy(sendbuf,base,DVM_FILENAME_SIZE); /* fills out with NULs */ + if (!write_all(1, sendbuf, DVM_FILENAME_SIZE)) gui_fatal("send filename to dispVM"); if (!copy_fd_all(1, fd)) gui_fatal("send file to dispVM");