channel-main: Handle not terminated host_data and cert_subject_data fields

host_data and cert_subject_data fields from SPICE messages could be not NUL terminated so using g_strdup can lead to some read overflow. This bug was discovered by Uri Lublin. Signed-off-by: Frediano Ziglio <freddy77@gmail.com> Acked-by: Uri Lublin <uril@redhat.com>
author: Frediano Ziglio <freddy77@gmail.com> 2020-09-16 15:50:33 +0100
committer: Frediano Ziglio <freddy77@gmail.com> 2020-09-16 17:41:03 +0100
commit: 9b98e01c8f5d0dc8faaf3af7b8fc95768e1ff0ad (patch)
tree: 24017216b87b13f21812485b8feafba2b6daa000
parent: 1f2a7a079a42ac9bccc12749c5eac4fcdbd48b2e (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/src/channel-main.c b/src/channel-main.c
index 2881d59..5fefded 100644
--- a/src/channel-main.c
+++ b/src/channel-main.c
@@ -2460,10 +2460,11 @@ static void main_migrate_connect(SpiceChannel *channel,
     mig->src_channel = channel;
     mig->info = *dst_info;
     if (dst_info->host_data) {
-        mig->info.host_data = (void *) g_strdup((char*) dst_info->host_data);
+        mig->info.host_data = (void *) g_strndup((char*) dst_info->host_data, dst_info->host_size);
     }
     if (dst_info->cert_subject_data) {
-        mig->info.cert_subject_data = (void *) g_strdup((char*) dst_info->cert_subject_data);
+        mig->info.cert_subject_data = (void *) g_strndup((char*) dst_info->cert_subject_data,
+                                                         dst_info->cert_subject_size);
     }
     mig->from = coroutine_self();
     mig->do_seamless = do_seamless;
author	Frediano Ziglio <freddy77@gmail.com>	2020-09-16 15:50:33 +0100
committer	Frediano Ziglio <freddy77@gmail.com>	2020-09-16 17:41:03 +0100
commit	9b98e01c8f5d0dc8faaf3af7b8fc95768e1ff0ad (patch)
tree	24017216b87b13f21812485b8feafba2b6daa000
parent	1f2a7a079a42ac9bccc12749c5eac4fcdbd48b2e (diff)