[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Libvir] Fix buffer overflow in dumping XML



On Wed, Mar 21, 2007 at 03:09:09PM +0000, Daniel P. Berrange wrote:
> The new bufferContentAndFree() method used for the QEMU daemon rellocs the
> buffer size down to release memory held by the buffer which was never used
> for any data. Unfortunately it reallocs it 1 byte too small, so later uses
> of strlen()/strcpy() either magically work, or randomly append gargage or
> crash the daemon depending on the phase of the moon :-) Re-allocing the
> buffer to relase a few bytes memory isn't really an optimization since the
> caller is going to free the entire block a very short while later, so this
> patch simply removes the realloc call.

  Okay, please commit :-)

> As an aside, the virBuffer functions in src/xml.c and the buffer functions
> in qemud/buf.c are both flawed wrt to the way they call the Grow method. 
> The method expects the len parameter to be extra bytes needed, but several
> of the callers pass in the total desired length, so it allocates too much
> memory. There are various other non-fatal flaws which need to be cleaned
> up in this code, but the attached patch just focuses on the current fatal
> buffer overflow for now.

Okay, I fixed the problems, commited in CVS, I also clarified the
documentationof those routines.

Daniel

-- 
Red Hat Virtualization group http://redhat.com/virtualization/
Daniel Veillard      | virtualization library  http://libvirt.org/
veillard redhat com  | libxml GNOME XML XSLT toolkit  http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine  http://rpmfind.net/


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]