[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: [libvirt] [PATCH] Fix latent buffer overflow in qemudOpenMonitorUnix.
- From: "Daniel P. Berrange" <berrange redhat com>
- To: Chris Lalancette <clalance redhat com>
- Cc: libvir-list redhat com
- Subject: Re: [libvirt] [PATCH] Fix latent buffer overflow in qemudOpenMonitorUnix.
- Date: Fri, 31 Jul 2009 16:02:43 +0100
On Fri, Jul 31, 2009 at 03:20:09PM +0200, Chris Lalancette wrote:
> Fix a possible latent bug in qemudOpenMonitorUnix(). If the pathname
> to the monitor is very long (i.e. >= UNIX_MAX_PATH), then strncpy will
> *not* place a final \0 on the string (see "man strncpy").
> NULL terminate the buffer to ensure we don't run off the end.
>
> Signed-off-by: Chris Lalancette <clalance redhat com>
> ---
> src/qemu_driver.c | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/src/qemu_driver.c b/src/qemu_driver.c
> index 9fcc07a..4f173b7 100644
> --- a/src/qemu_driver.c
> +++ b/src/qemu_driver.c
> @@ -910,6 +910,7 @@ qemudOpenMonitorUnix(virConnectPtr conn,
> memset(&addr, 0, sizeof(addr));
> addr.sun_family = AF_UNIX;
> strncpy(addr.sun_path, monitor, sizeof(addr.sun_path));
> + NUL_TERMINATE(addr.sun_path);
>
> do {
> ret = connect(monfd, (struct sockaddr *) &addr, sizeof(addr));
ACK, but this mistake is made in pretty much every use of unix
domain sockets :-( Could you fix the others here too.
Clearly strncpy() is just unfit for purpose, and we should plan to banish
it in favour of a virStrncpy impl that guarnetees to add the trailing \0.
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]