hmp: fix sendkey out of bounds write (CVE-2015-8619)

When processing 'sendkey' command, hmp_sendkey routine null terminates the 'keyname_buf' array. This results in an OOB write issue, if 'keyname_len' was to fall outside of 'keyname_buf' array. Since the keyname's length is known the keyname_buf can be removed altogether by adding a length parameter to index_from_key() and using it for the error output as well. Reported-by: Ling Liu <liuling-it@360.cn> Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Message-Id: <20160113080958.GA18934@olga> [Comparison with "<" dumbed down, test for junk after strtoul() tweaked] Signed-off-by: Markus Armbruster <armbru@redhat.com>
2025-12-17 21:26:13 -07:00 · 2016-01-13 09:09:58 +01:00 · 2016-01-13 09:09:58 +01:00 · 64ffbe04ea
commit 64ffbe04ea
parent c65db7705b
3 changed files with 12 additions and 13 deletions
--- a/include/ui/console.h
+++ b/include/ui/console.h
@ -448,7 +448,7 @@ static inline int vnc_display_pw_expire(const char *id, time_t expires)
 void curses_display_init(DisplayState *ds, int full_screen);

 /* input.c */
-int index_from_key(const char *key);
+int index_from_key(const char *key, size_t key_length);

 /* gtk.c */
 void early_gtk_display_init(int opengl);