[Libvir] PATCH: Avoid buffer out of bounds access in Xen capabilities
Daniel P. Berrange
berrange at redhat.com
Tue Apr 29 13:36:20 UTC 2008
On Tue, Apr 29, 2008 at 02:46:14AM -0400, Daniel Veillard wrote:
> On Mon, Apr 28, 2008 at 11:42:47PM +0100, Daniel P. Berrange wrote:
> > The Xen driver uses a regex to process the hypervisor capabilities data
> >
> > "(xen|hvm)-[[:digit:]]+\\.[[:digit:]]+-(x86_32|x86_64|ia64|powerpc64)(p|be)?";
> >
> > notice how the last match group, however, is optional due to the '?'. The
> > code processing matches does not check to see if the match is present or
> > not, and just indexes the string on match 3
> >
> > if (strncmp (&token[subs[3].rm_so], "p", 1) == 0)
> >
> > Unfortunately, subs[3].rm_so is -1 if the match was not present, so we're
> > doing an out of bounds array access here. This is fairly harmless, but it
> > is still good to fix it. So this patch adds a check for -1 before accessing
> > the match. I also replace the strncmp() calls with a call to the brand new
> > STRPREFIX() convenience macro
>
> Okidoc, i assume valgrind spotted that, that's fairly well hidden ...
Yeah, and valgrind only finds it on i386 - not x86_64, which is why I didn't
spot it for sooo long !
Dan.
--
|: Red Hat, Engineering, Boston -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
More information about the libvir-list
mailing list