[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] spice CVE-2018-10873: post-auth crash or potential heap corruption when demarshal
From:       Jeffrey Walton <noloader () gmail ! com>
Date:       2018-08-17 10:33:12
Message-ID: CAH8yC8mk=9pj20AUcDuCgJ7aabf+2chHhknS5=pjQF5LSq7Ptw () mail ! gmail ! com
[Download RAW message or body]

On Fri, Aug 17, 2018 at 5:43 AM, Frediano Ziglio <fziglio@redhat.com> wrote:
>> On 08/17/2018 02:51 AM, Doran Moppert wrote:
>> >      +        if (SPICE_UNLIKELY((start + 2) > message_end)) {
>> >      +            goto error;
>> >      +        }
>>
>> These checks are still technically invalid because start + 2 is not a
>> valid pointer if it points past the allocated object.
>>
> Technical but not real. Unless it wraps is correct...

I believe Florian is correct. I think the most freedom you are allowed
is to access one beyond the "end" of the array; otherwise it is
undefined behavior. The compiler is free to remove the code or dragons
can fly out your nose.

Jeff
[prev in list] [next in list] [prev in thread] [next in thread]