[Libvir] Fix buffer overflow in dumping XML
Daniel Veillard
veillard at redhat.com
Wed Mar 21 15:26:28 UTC 2007
On Wed, Mar 21, 2007 at 03:09:09PM +0000, Daniel P. Berrange wrote:
> The new bufferContentAndFree() method used for the QEMU daemon rellocs the
> buffer size down to release memory held by the buffer which was never used
> for any data. Unfortunately it reallocs it 1 byte too small, so later uses
> of strlen()/strcpy() either magically work, or randomly append gargage or
> crash the daemon depending on the phase of the moon :-) Re-allocing the
> buffer to relase a few bytes memory isn't really an optimization since the
> caller is going to free the entire block a very short while later, so this
> patch simply removes the realloc call.
Okay, please commit :-)
> As an aside, the virBuffer functions in src/xml.c and the buffer functions
> in qemud/buf.c are both flawed wrt to the way they call the Grow method.
> The method expects the len parameter to be extra bytes needed, but several
> of the callers pass in the total desired length, so it allocates too much
> memory. There are various other non-fatal flaws which need to be cleaned
> up in this code, but the attached patch just focuses on the current fatal
> buffer overflow for now.
Okay, I fixed the problems, commited in CVS, I also clarified the
documentationof those routines.
Daniel
--
Red Hat Virtualization group http://redhat.com/virtualization/
Daniel Veillard | virtualization library http://libvirt.org/
veillard at redhat.com | libxml GNOME XML XSLT toolkit http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/
More information about the libvir-list
mailing list