diff options
author | Matthew Daley <mattjd@gmail.com> | 2013-06-14 16:39:38 +0100 |
---|---|---|
committer | Ian Jackson <Ian.Jackson@eu.citrix.com> | 2013-06-14 16:39:38 +0100 |
commit | 966070058d02cce9684e30073b61d6465e4b351c (patch) | |
tree | 8fc5b51f93782951cd8b56a900815b88233a3c33 | |
parent | de7911eaef98b6643d80e4612fe4dcd4528d15b9 (diff) | |
download | xen-966070058d02cce9684e30073b61d6465e4b351c.tar.gz xen-966070058d02cce9684e30073b61d6465e4b351c.tar.bz2 xen-966070058d02cce9684e30073b61d6465e4b351c.zip |
libxc: check blob size before proceeding in xc_dom_check_gzip
This is part of the fix to a security issue, XSA-55.
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
v8: Add a comment explaining where the number 6 comes from.
v6: This patch is new in v6 of the series.
-rw-r--r-- | tools/libxc/xc_dom_core.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/tools/libxc/xc_dom_core.c b/tools/libxc/xc_dom_core.c index 1a14d3c5ce..5f188c1321 100644 --- a/tools/libxc/xc_dom_core.c +++ b/tools/libxc/xc_dom_core.c @@ -284,6 +284,11 @@ size_t xc_dom_check_gzip(xc_interface *xch, void *blob, size_t ziplen) unsigned char *gzlen; size_t unziplen; + if ( ziplen < 6 ) + /* Too small. We need (i.e. the subsequent code relies on) + * 2 bytes for the magic number plus 4 bytes length. */ + return 0; + if ( strncmp(blob, "\037\213", 2) ) /* not gzipped */ return 0; |