kumquat-buildroot/package/spice/0003-main-channel-Prevent-overflow-reading-messages-from-.patch

From 5f96b596353d73bdf4bb3cd2de61e48a7fd5b4c3 Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Tue, 29 Nov 2016 16:46:56 +0000
Subject: [PATCH] main-channel: Prevent overflow reading messages from client

Caller is supposed the function return a buffer able to store
size bytes.

[Peter: fixes CVE-2016-9577]
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 server/main_channel.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/server/main_channel.c b/server/main_channel.c
index 0ecc9df8..1fc39155 100644
--- a/server/main_channel.c
+++ b/server/main_channel.c
@@ -1026,6 +1026,9 @@ static uint8_t *main_channel_alloc_msg_rcv_buf(RedChannelClient *rcc,
 
     if (type == SPICE_MSGC_MAIN_AGENT_DATA) {
         return reds_get_agent_data_buffer(mcc, size);
+    } else if (size > sizeof(main_chan->recv_buf)) {
+        /* message too large, caller will log a message and close the connection */
+        return NULL;
     } else {
         return main_chan->recv_buf;
     }
-- 
2.11.0
spice: add post-0.12.8 upstream security fixes Fixes the following security issues: CVE-2016-9577 Frediano Ziglio of Red Hat discovered a buffer overflow vulnerability in the main_channel_alloc_msg_rcv_buf function. An authenticated attacker can take advantage of this flaw to cause a denial of service (spice server crash), or possibly, execute arbitrary code. CVE-2016-9578 Frediano Ziglio of Red Hat discovered that spice does not properly validate incoming messages. An attacker able to connect to the spice server could send crafted messages which would cause the process to crash. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2017-06-22 00:07:44 +02:00			`From 5f96b596353d73bdf4bb3cd2de61e48a7fd5b4c3 Mon Sep 17 00:00:00 2001`
			`From: Frediano Ziglio <fziglio@redhat.com>`
			`Date: Tue, 29 Nov 2016 16:46:56 +0000`
			`Subject: [PATCH] main-channel: Prevent overflow reading messages from client`

			`Caller is supposed the function return a buffer able to store`
			`size bytes.`

			`[Peter: fixes CVE-2016-9577]`
			`Signed-off-by: Frediano Ziglio <fziglio@redhat.com>`
			`Acked-by: Christophe Fergeau <cfergeau@redhat.com>`
			`Signed-off-by: Peter Korsgaard <peter@korsgaard.com>`
			`---`
			`server/main_channel.c \| 3 +++`
			`1 file changed, 3 insertions(+)`

			`diff --git a/server/main_channel.c b/server/main_channel.c`
			`index 0ecc9df8..1fc39155 100644`
			`--- a/server/main_channel.c`
			`+++ b/server/main_channel.c`
			`@@ -1026,6 +1026,9 @@ static uint8_t main_channel_alloc_msg_rcv_buf(RedChannelClient rcc,`

			`if (type == SPICE_MSGC_MAIN_AGENT_DATA) {`
			`return reds_get_agent_data_buffer(mcc, size);`
			`+ } else if (size > sizeof(main_chan->recv_buf)) {`
			`+ /* message too large, caller will log a message and close the connection */`
			`+ return NULL;`
			`} else {`
			`return main_chan->recv_buf;`
			`}`
			`--`
			`2.11.0`