diff options
| author | Matthew Daley <mattjd@gmail.com> | 2013-06-14 16:45:41 +0100 |
|---|---|---|
| committer | Ian Jackson <Ian.Jackson@eu.citrix.com> | 2013-06-14 16:45:41 +0100 |
| commit | ac63ddd70a5ccf5ebf790f06ea4cd4ed794c3978 (patch) | |
| tree | fadb2d3aa4efbcb1e9666d53e1a7828c49bf1052 | |
| parent | 6eca85d5c144ee8c899ee3cf8791f9087b15f2e8 (diff) | |
| download | xen-ac63ddd70a5ccf5ebf790f06ea4cd4ed794c3978.tar.gz xen-ac63ddd70a5ccf5ebf790f06ea4cd4ed794c3978.tar.bz2 xen-ac63ddd70a5ccf5ebf790f06ea4cd4ed794c3978.zip | |
libxc: check blob size before proceeding in xc_dom_check_gzip
This is part of the fix to a security issue, XSA-55.
Signed-off-by: Matthew Daley <mattjd@gmail.com>
| -rw-r--r-- | tools/libxc/xc_dom_core.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/tools/libxc/xc_dom_core.c b/tools/libxc/xc_dom_core.c index 3cbf9f791e..f8d1b08ba8 100644 --- a/tools/libxc/xc_dom_core.c +++ b/tools/libxc/xc_dom_core.c @@ -284,6 +284,11 @@ size_t xc_dom_check_gzip(xc_interface *xch, void *blob, size_t ziplen) unsigned char *gzlen; size_t unziplen; + if ( ziplen < 6 ) + /* Too small. We need (i.e. the subsequent code relies on) + * 2 bytes for the magic number plus 4 bytes length. */ + return 0; + if ( strncmp(blob, "\037\213", 2) ) /* not gzipped */ return 0; |