diff options
author | Matthew Daley <mattjd@gmail.com> | 2013-06-14 16:45:41 +0100 |
---|---|---|
committer | Ian Jackson <Ian.Jackson@eu.citrix.com> | 2013-06-14 16:45:41 +0100 |
commit | ac63ddd70a5ccf5ebf790f06ea4cd4ed794c3978 (patch) | |
tree | fadb2d3aa4efbcb1e9666d53e1a7828c49bf1052 /tools | |
parent | 6eca85d5c144ee8c899ee3cf8791f9087b15f2e8 (diff) | |
download | xen-ac63ddd70a5ccf5ebf790f06ea4cd4ed794c3978.tar.gz xen-ac63ddd70a5ccf5ebf790f06ea4cd4ed794c3978.tar.bz2 xen-ac63ddd70a5ccf5ebf790f06ea4cd4ed794c3978.zip |
libxc: check blob size before proceeding in xc_dom_check_gzip
This is part of the fix to a security issue, XSA-55.
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Diffstat (limited to 'tools')
-rw-r--r-- | tools/libxc/xc_dom_core.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/tools/libxc/xc_dom_core.c b/tools/libxc/xc_dom_core.c index 3cbf9f791e..f8d1b08ba8 100644 --- a/tools/libxc/xc_dom_core.c +++ b/tools/libxc/xc_dom_core.c @@ -284,6 +284,11 @@ size_t xc_dom_check_gzip(xc_interface *xch, void *blob, size_t ziplen) unsigned char *gzlen; size_t unziplen; + if ( ziplen < 6 ) + /* Too small. We need (i.e. the subsequent code relies on) + * 2 bytes for the magic number plus 4 bytes length. */ + return 0; + if ( strncmp(blob, "\037\213", 2) ) /* not gzipped */ return 0; |