> On 23 Feb 2018, at 11:11, Frediano Ziglio <fzig...@redhat.com> wrote:
> 
> Depending on how structures are initialised in the code is
> possible that implicit padding bytes are not initialised
> causing possible information leaks as the entire structure
> with all padding is sent through device/network.
> 
> Signed-off-by: Frediano Ziglio <fzig...@redhat.com>
> ---
> spice/stream-device.h | 2 ++
> 1 file changed, 2 insertions(+)
> 
> diff --git a/spice/stream-device.h b/spice/stream-device.h
> index 2e7c50e..b2f83b5 100644
> --- a/spice/stream-device.h
> +++ b/spice/stream-device.h
> @@ -48,6 +48,8 @@
>  * containing integers up to 64 bit.
>  * All numbers are in little endian format.
>  *
> + * For security reasons structures should not contain implicit paddings.

Acked-by: Christophe de Dinechin <dinec...@redhat.com> 

> + *
>  * The protocol can be defined by these states:
>  * - Initial. Device just opened. Guest should wait
>  *   for a message from the host;
> -- 
> 2.14.3
> 
> _______________________________________________
> Spice-devel mailing list
> Spice-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/spice-devel

_______________________________________________
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/spice-devel

Reply via email to