On 3/21/24 01:53, Daniel P. Berrangé wrote: > While the C API entry points will validate non-negative lengths > for various parameters, the RPC server de-serialization code > will need to allocate memory for arrays before entering the C > API. These allocations will thus happen before the non-negative > length check is performed. > > Passing a negative length to the g_new0 function will usually > result in a crash due to the negative length being treated as > a huge positive number. > > This was found and diagnosed by ALT Linux Team with AFLplusplus. > > CVE-2024-2494 > Found-by: Alexandr Shashkin <[email protected]> > Co-developed-by: Alexander Kuznetsov <[email protected]> > Signed-off-by: Daniel P. Berrangé <[email protected]> > --- > src/remote/remote_daemon_dispatch.c | 65 +++++++++++++++++++++++++++++ > src/rpc/gendispatch.pl | 5 +++ > 2 files changed, 70 insertions(+)
Reviewed-by: Michal Privoznik <[email protected]> Michal _______________________________________________ Devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
