diff options
| author | Wolfgang Bumiller <w.bumiller@proxmox.com> | 2016-01-13 09:09:58 +0100 |
|---|---|---|
| committer | Markus Armbruster <armbru@redhat.com> | 2016-02-03 10:13:06 +0100 |
| commit | 64ffbe04eaafebf4045a3ace52a360c14959d196 (patch) | |
| tree | 57ccddbc02a6c706c89ff44f78ee62f65f9d397c /ui/input-legacy.c | |
| parent | c65db7705b7926f4a084b93778e4bd5dd3990aad (diff) | |
| download | qemu-64ffbe04eaafebf4045a3ace52a360c14959d196.tar.gz qemu-64ffbe04eaafebf4045a3ace52a360c14959d196.tar.bz2 qemu-64ffbe04eaafebf4045a3ace52a360c14959d196.zip | |
hmp: fix sendkey out of bounds write (CVE-2015-8619)
When processing 'sendkey' command, hmp_sendkey routine null
terminates the 'keyname_buf' array. This results in an OOB
write issue, if 'keyname_len' was to fall outside of
'keyname_buf' array.
Since the keyname's length is known the keyname_buf can be
removed altogether by adding a length parameter to
index_from_key() and using it for the error output as well.
Reported-by: Ling Liu <liuling-it@360.cn>
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Message-Id: <20160113080958.GA18934@olga>
[Comparison with "<" dumbed down, test for junk after strtoul()
tweaked]
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Diffstat (limited to 'ui/input-legacy.c')
| -rw-r--r-- | ui/input-legacy.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/ui/input-legacy.c b/ui/input-legacy.c index 35dfc27687..3454055084 100644 --- a/ui/input-legacy.c +++ b/ui/input-legacy.c @@ -57,12 +57,13 @@ struct QEMUPutLEDEntry { static QTAILQ_HEAD(, QEMUPutLEDEntry) led_handlers = QTAILQ_HEAD_INITIALIZER(led_handlers); -int index_from_key(const char *key) +int index_from_key(const char *key, size_t key_length) { int i; for (i = 0; QKeyCode_lookup[i] != NULL; i++) { - if (!strcmp(key, QKeyCode_lookup[i])) { + if (!strncmp(key, QKeyCode_lookup[i], key_length) && + !QKeyCode_lookup[i][key_length]) { break; } } |