From 75e8685740199537bfefcbd9996ec3ff9f6342e6 Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Wed, 8 Feb 2017 21:58:43 -0500
Subject: [PATCH] Adapting the following patch, from
 http://pkgs.fedoraproject.org/cgit/rpms/spice.git/plain/0003-main-channel-Prevent-overflow-reading-messages-from-.patch?id=d919d639ae5f83a9735a04d843eed675f9357c0d

> From: Frediano Ziglio <fziglio@redhat.com>
> Date: Tue, 29 Nov 2016 16:46:56 +0000
> Subject: [spice-server 3/3] main-channel: Prevent overflow reading messages
>  from client
>
> Caller is supposed the function return a buffer able to store
> size bytes.
>
> Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
> Acked-by: Christophe Fergeau <cfergeau@redhat.com>
> ---
>  server/main-channel.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/server/main-channel.c b/server/main-channel.c
> index 24dd448..1124506 100644
> --- a/server/main-channel.c
> +++ b/server/main-channel.c
> @@ -258,6 +258,9 @@ static uint8_t *main_channel_alloc_msg_rcv_buf(RedChannelClient *rcc,
>
>      if (type == SPICE_MSGC_MAIN_AGENT_DATA) {
>          return reds_get_agent_data_buffer(red_channel_get_server(channel), mcc, size);
> +    } else if (size > sizeof(main_chan->recv_buf)) {
> +        /* message too large, caller will log a message and close the connection */
> +        return NULL;
>      } else {
>          return main_chan->recv_buf;
>      }
> --
> 2.9.3
> ---
 server/main_channel.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/server/main_channel.c b/server/main_channel.c
index 0ecc9df..1fc3915 100644
--- a/server/main_channel.c
+++ b/server/main_channel.c
@@ -1026,6 +1026,9 @@ static uint8_t *main_channel_alloc_msg_rcv_buf(RedChannelClient *rcc,

     if (type == SPICE_MSGC_MAIN_AGENT_DATA) {
         return reds_get_agent_data_buffer(mcc, size);
+    } else if (size > sizeof(main_chan->recv_buf)) {
+        /* message too large, caller will log a message and close the connection */
+        return NULL;
     } else {
         return main_chan->recv_buf;
     }
--
2.10.0