From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andrew Cooper Subject: Re: [PATCH 22/22] libxc: check blob size before proceeding in xc_dom_check_gzip Date: Tue, 11 Jun 2013 20:08:32 +0100 Message-ID: <51B775B0.9030800@citrix.com> References: <1370974865-19554-1-git-send-email-ian.jackson@eu.citrix.com> <1370974865-19554-23-git-send-email-ian.jackson@eu.citrix.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1370974865-19554-23-git-send-email-ian.jackson@eu.citrix.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Ian Jackson Cc: "xen-devel@lists.xensource.com" , "mattjd@gmail.com" , "security@xen.org" List-Id: xen-devel@lists.xenproject.org On 11/06/13 19:21, Ian Jackson wrote: > From: Matthew Daley > > This is part of the fix to a security issue, XSA-55. > > Signed-off-by: Matthew Daley Reviewed-by: Andrew Cooper > > v6: This patch is new in v6 of the series. > --- > tools/libxc/xc_dom_core.c | 4 ++++ > 1 files changed, 4 insertions(+), 0 deletions(-) > > diff --git a/tools/libxc/xc_dom_core.c b/tools/libxc/xc_dom_core.c > index 1a14d3c..bf05d2a 100644 > --- a/tools/libxc/xc_dom_core.c > +++ b/tools/libxc/xc_dom_core.c > @@ -284,6 +284,10 @@ size_t xc_dom_check_gzip(xc_interface *xch, void *blob, size_t ziplen) > unsigned char *gzlen; > size_t unziplen; > > + if ( ziplen < 6 ) > + /* too small */ > + return 0; > + > if ( strncmp(blob, "\037\213", 2) ) > /* not gzipped */ > return 0;