[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Libvir] Fix for buffer overflow in network setup



There was a buffer overflow in teh code to deal with building command line
arguments which was only exposed when the Fedora RPM builds uses the 
stack protector args to GCC. The attached patch increases the buffer size
and uses snprintf() instead of sprintf().

BTW, if anyone is looking for a patch to write - removing all other calls
to sprintf() would be a worthy task :-)

Regards,
Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 
Index: qemud/conf.c
===================================================================
RCS file: /data/cvs/libvirt/qemud/conf.c,v
retrieving revision 1.43
diff -u -p -r1.43 conf.c
--- qemud/conf.c	16 Mar 2007 15:03:21 -0000	1.43
+++ qemud/conf.c	20 Mar 2007 16:23:54 -0000
@@ -1301,13 +1301,14 @@ int qemudBuildCommandLine(struct qemud_s
     } else {
         int vlan = 0;
         while (net) {
-            char nic[3+1+7+1+17+1];
+            char nic[100];
 
-            sprintf(nic, "nic,macaddr=%02x:%02x:%02x:%02x:%02x:%02x,vlan=%d",
-                    net->mac[0], net->mac[1],
-                    net->mac[2], net->mac[3],
-                    net->mac[4], net->mac[5],
-                    vlan);
+            if (snprintf(nic, sizeof(nic), "nic,macaddr=%02x:%02x:%02x:%02x:%02x:%02x,vlan=%d",
+                         net->mac[0], net->mac[1],
+                         net->mac[2], net->mac[3],
+                         net->mac[4], net->mac[5],
+                         vlan) >= sizeof(nic))
+                goto error;
 
             if (!((*argv)[++n] = strdup("-net")))
                 goto no_memory;

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]