[Libvir] PATCH: Avoid buffer out of bounds access in Xen capabilities

[Daniel P. Berrange]

On Tue, Apr 29, 2008 at 02:46:14AM -0400, Daniel Veillard wrote:
> On Mon, Apr 28, 2008 at 11:42:47PM +0100, Daniel P. Berrange wrote:
> > The Xen driver uses a regex to process the hypervisor capabilities data
> > 
> >   "(xen|hvm)-[[:digit:]]+\\.[[:digit:]]+-(x86_32|x86_64|ia64|powerpc64)(p|be)?";
> > 
> > notice how the last match group, however, is optional due to the '?'. The
> > code processing matches does not check to see if the match is present or
> > not, and just indexes the string on match 3
> > 
> >      if (strncmp (&token[subs[3].rm_so], "p", 1) == 0)
> > 
> > Unfortunately,  subs[3].rm_so is -1 if the match was not present, so we're
> > doing an out of bounds array access here. This is fairly harmless, but it
> > is still good to fix it. So this patch adds a check for -1 before accessing
> > the match. I also replace the strncmp() calls with a call to the brand new
> > STRPREFIX() convenience macro
> 
>   Okidoc, i assume valgrind spotted that, that's fairly well hidden ...

Yeah, and valgrind only finds it on i386 - not x86_64, which is why I didn't
spot it for sooo long !

Dan.
-- 
|: Red Hat, Engineering, Boston   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|