[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Two small patches related to xenfb



Rafal Wojtczuk wrote:
> Hello,
> Two minor issues:
> row_stride_div0.patch: a malicious frontend can send row_stride==0 and force
> qemu-dm to perform division by 0

Ok.

> vnc_resize_doublecheck.patch: there is an unchecked multiplication when
> calculating framebuffer size. Cs 17630 sanitizes framebuffer dimensions
> passed by the frontend, so most probably no integer overflow can happen, but
> there should be a check for overflow close to the actual computation (to
> make code review easier and to cope with other codepaths in the future). 

If bogous values can make it through the sanity checks in
xenfb_configure_fb() then those sanity checks must be fixed.

Adding another check somewhere else certainly doesn't make review
easier.  In contrast it makes error handling more complicated because
there are multiple places where you have to deal with errors instead of
just one functions which does all sanity checks.

cheers,
  Gerd



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.