The example uses a buffer pool for all requests, but it did not clear the buffers before they were used. If we failed to handle a read error, this could lead to leaking sensitive data to the destination server.
Signed-off-by: Nir Soffer <[email protected]> --- examples/copy-libev.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/examples/copy-libev.c b/examples/copy-libev.c index 51ff9fb0..13db898a 100644 --- a/examples/copy-libev.c +++ b/examples/copy-libev.c @@ -634,21 +634,28 @@ main (int argc, char *argv[]) /* Check destination server capabilities. */ dst.can_zero = nbd_can_zero (dst.nbd) > 0; /* Start the copy "loop". When request completes, it starts the * next request, until entire image was copied. */ for (i = 0; i < MAX_REQUESTS; i++) { struct request *r = &requests[i]; r->index = i; - r->data = malloc (REQUEST_SIZE); + + /* + * Clear the buffer before starting the copy, so if we fail to + * handle a read error we will not write uninitilized data to + * the destination server, which may leak sensitive data to + * remote host. + */ + r->data = calloc (1, REQUEST_SIZE); if (r->data == NULL) FAIL ("Cannot allocate buffer: %s", strerror (errno)); start_request(r); } /* Start watching events on src and dst handles. */ ev_io_init (&src.watcher, io_cb, get_fd (&src), get_events (&src)); ev_io_start (loop, &src.watcher); -- 2.34.1 _______________________________________________ Libguestfs mailing list [email protected] https://listman.redhat.com/mailman/listinfo/libguestfs
