[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Libguestfs] [PATCH] lib: update inspect_list_applications to return all installed RPMs (RHBZ#859885)



On Mon, Oct 29, 2012 at 03:12:36PM -0400, John Eckersberg wrote:
> "Richard W.M. Jones" <rjones redhat com> writes:
> >> +
> >> +static char *
> >> +get_rpm_header_tag (guestfs_h *g, const void *header_start, size_t header_len, uint32_t tag)
> >> +{
> >> +  uint32_t num_fields, offset;
> >> +  const void *cursor = header_start + 8, *store;
> >> +
> >> +  /* This function parses the RPM header structure to pull out various
> >> +   * tag strings (version, release, arch, etc.).  For more detail on the
> >> +   * header format, see:
> >> +   * http://www.rpm.org/max-rpm/s1-rpm-file-format-rpm-file-format.html#S2-RPM-FILE-FORMAT-HEADER
> >> +   */
> >> +
> >> +  num_fields = be32toh (*(uint32_t *) header_start);
> >> +  store = header_start + 8 + (16 * num_fields);
> >> +
> >> +  while (cursor < store && cursor < header_start + header_len) {
> >> +    if (be32toh (*(uint32_t *) cursor) == tag){
> >
> > ^ Space before '{' character.
> >
> >> +      offset = be32toh(*(uint32_t *) (cursor + 8));
> >> +      return safe_strdup(g, store + offset);
> >> +    }
> >> +    cursor += 16;
> >> +  }
> >
> > I'm curious if this code will work if header_len is unusually small.
> > I think it would cause the library to read past the end of the
> > allocated buffer, possibly crashing or doing other Bad Stuff.  Note
> > that the header_len field is under control of the guest, so this could
> > be a security problem.
> 
> Do you mean unusually large?  The while loop is bounded by:
> 
> cursor < header_start + header_len
> 
> An unusually small header_len will just cause it to bail early and
> return NULL, which is not a problem.

Actually I was looking at the 'be32toh (*(uint32_t *) header_start)'
which I guess can read up to 3 bytes after the buffer, then wondering
about the loop that follows which can also read up to 11 bytes over
the end of the buffer, I think ...

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
libguestfs lets you edit virtual machines.  Supports shell scripting,
bindings from many languages.  http://libguestfs.org


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]