Qubes/core-agent-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

qopen-in-vm: fix read overflow

Browse Source 
That one would also send more data to the other VM that what we
intended: the start of the env var data (which in similar code
on my host includes the GPG agent socket path, XDG session cookie,
and more.

The other side expects a fixed size though, so pad with NULs.

Interestingly, the original code was not vulnerable as it was
callocing enough space.
This commit is contained in:
Vincent Penquerc'h 2013-12-29 07:02:09 -05:00 committed by Marek Marczykowski-Górecki
parent 5af6f0ff7f
commit 38c0ea3128
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
qubes-rpc/qopen-in-vm.c
View File

@ -15,6 +15,7 @@
void send_file(char *fname) void send_file(char *fname)
{ {
char *base; char *base;
char sendbuf[DVM_FILENAME_SIZE];
int fd = open(fname, O_RDONLY); int fd = open(fname, O_RDONLY);
if (fd < 0) if (fd < 0)
gui_fatal("open %s", fname); gui_fatal("open %s", fname);
@ -25,7 +26,8 @@ void send_file(char *fname)
base++; base++;
if (strlen(base) >= DVM_FILENAME_SIZE) if (strlen(base) >= DVM_FILENAME_SIZE)
base += strlen(base) - DVM_FILENAME_SIZE + 1; base += strlen(base) - DVM_FILENAME_SIZE + 1;
if (!write_all(1, base, DVM_FILENAME_SIZE)) strncpy(sendbuf,base,DVM_FILENAME_SIZE); /* fills out with NULs */
if (!write_all(1, sendbuf, DVM_FILENAME_SIZE))
gui_fatal("send filename to dispVM"); gui_fatal("send filename to dispVM");
if (!copy_fd_all(1, fd)) if (!copy_fd_all(1, fd))
gui_fatal("send file to dispVM"); gui_fatal("send file to dispVM");