[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [Libvir] PATCH: Avoid buffer out of bounds access in Xen capabilities

From: Daniel Veillard <veillard redhat com>
To: "Daniel P. Berrange" <berrange redhat com>
Cc: libvir-list redhat com
Subject: Re: [Libvir] PATCH: Avoid buffer out of bounds access in Xen capabilities
Date: Tue, 29 Apr 2008 02:46:14 -0400

On Mon, Apr 28, 2008 at 11:42:47PM +0100, Daniel P. Berrange wrote:
> The Xen driver uses a regex to process the hypervisor capabilities data
> 
>   "(xen|hvm)-[[:digit:]]+\\.[[:digit:]]+-(x86_32|x86_64|ia64|powerpc64)(p|be)?";
> 
> notice how the last match group, however, is optional due to the '?'. The
> code processing matches does not check to see if the match is present or
> not, and just indexes the string on match 3
> 
>      if (strncmp (&token[subs[3].rm_so], "p", 1) == 0)
> 
> Unfortunately,  subs[3].rm_so is -1 if the match was not present, so we're
> doing an out of bounds array access here. This is fairly harmless, but it
> is still good to fix it. So this patch adds a check for -1 before accessing
> the match. I also replace the strncmp() calls with a call to the brand new
> STRPREFIX() convenience macro

  Okidoc, i assume valgrind spotted that, that's fairly well hidden ...

    +1

Daniel

-- 
Red Hat Virtualization group http://redhat.com/virtualization/
Daniel Veillard      | virtualization library  http://libvirt.org/
veillard redhat com  | libxml GNOME XML XSLT toolkit  http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine  http://rpmfind.net/

Follow-Ups:
- Re: [Libvir] PATCH: Avoid buffer out of bounds access in Xen capabilities
  - From: Daniel P. Berrange

References:
- [Libvir] PATCH: Avoid buffer out of bounds access in Xen capabilities
  - From: Daniel P. Berrange

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]