[Libvir] [PATCH] Fix endless loop of VirBufferVSprintf()

Masayuki Sunou fj1826dm at aa.jp.fujitsu.com
Thu Aug 30 02:29:34 UTC 2007 

Hi

Would you give me a comment on this?
This occurs when virsh create is executed by using the attached file.  

Thanks,
Masayuki Sunou

In message <200708241730.AJI90166.3GE29KN7 at aa.jp.fujitsu.com>
   "[Libvir] [PATCH] Fix endless loop of VirBufferVSprintf()"
   "Masayuki Sunou <fj1826dm at aa.jp.fujitsu.com>" wrote:

> Hi
> 
> VirBufferVSprintf() loops endless when it receives over 2000 bytes,
> because the return value of vsnprintf() is more than "size - 1".
> It is because the maximum of "size" is 1999 bytes.
>  --> the maximum of "buf->size - buf->use" = 2000
>      (1000(argument of virBufferGrow()) + 1000(set in virBufferGrow()))
> 
> So, virBufferEscapeString() has the same problem.
> 
> This patch sets to virBufferGrow() the size of the data
> which VirBufferVSprintf()(virBufferEscapeString()) received
> when it is over 1000 bytes.
> 
> Signed-off-by: Masayuki Sunou <fj1826dm at aa.jp.fujitsu.com>
> 
> Thanks,
> Masayuki Sunou.
> 
> ----------------------------------------------------------------------
> Index: src/buf.c
> ===================================================================
> RCS file: /data/cvs/libvirt/src/buf.c,v
> retrieving revision 1.3
> diff -u -p -r1.3 buf.c
> --- src/buf.c	9 Jul 2007 11:24:52 -0000	1.3
> +++ src/buf.c	24 Aug 2007 05:56:37 -0000
> @@ -159,7 +159,7 @@ virBufferContentAndFree (virBufferPtr bu
>  int
>  virBufferVSprintf(virBufferPtr buf, const char *format, ...)
>  {
> -    int size, count;
> +    int size, count, grow_size;
>      va_list locarg, argptr;
>  
>      if ((format == NULL) || (buf == NULL)) {
> @@ -172,7 +172,8 @@ virBufferVSprintf(virBufferPtr buf, cons
>                                 locarg)) < 0) || (count >= size - 1)) {
>          buf->content[buf->use] = 0;
>          va_end(locarg);
> -        if (virBufferGrow(buf, 1000) < 0) {
> +        grow_size = (count > 1000) ? count : 1000;
> +        if (virBufferGrow(buf, grow_size) < 0) {
>              return (-1);
>          }
>          size = buf->size - buf->use - 1;
> @@ -198,7 +199,7 @@ virBufferVSprintf(virBufferPtr buf, cons
>  int
>  virBufferEscapeString(virBufferPtr buf, const char *format, const char *str)
>  {
> -    int size, count, len;
> +    int size, count, len, grow_size;
>      char *escaped, *out;
>      const char *cur;
>  
> @@ -248,7 +249,8 @@ virBufferEscapeString(virBufferPtr buf, 
>      while (((count = snprintf(&buf->content[buf->use], size, format,
>                                (char *)escaped)) < 0) || (count >= size - 1)) {
>          buf->content[buf->use] = 0;
> -        if (virBufferGrow(buf, 1000) < 0) {
> +        grow_size = (count > 1000) ? count : 1000;
> +        if (virBufferGrow(buf, grow_size) < 0) {
>  	    free(escaped);
>              return (-1);
>          }
> ----------------------------------------------------------------------
> 
> --
> Libvir-list mailing list
> Libvir-list at redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: NG.xml
Type: text/xml
Size: 4555 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20070830/0c47003d/attachment-0001.xml>

More information about the libvir-list mailing list