[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] Fix latent buffer overflow in qemudOpenMonitorUnix.



On Sun, Aug 02, 2009 at 12:15:47PM +0200, Chris Lalancette wrote:
> Daniel P. Berrange wrote:
> > On Fri, Jul 31, 2009 at 03:20:09PM +0200, Chris Lalancette wrote:
> >> Fix a possible latent bug in qemudOpenMonitorUnix().  If the pathname
> >> to the monitor is very long (i.e. >= UNIX_MAX_PATH), then strncpy will
> >> *not* place a final \0 on the string (see "man strncpy").
> >> NULL terminate the buffer to ensure we don't run off the end.
> >>
> >> Signed-off-by: Chris Lalancette <clalance redhat com>
> >> ---
> >>  src/qemu_driver.c |    1 +
> >>  1 files changed, 1 insertions(+), 0 deletions(-)
> >>
> >> diff --git a/src/qemu_driver.c b/src/qemu_driver.c
> >> index 9fcc07a..4f173b7 100644
> >> --- a/src/qemu_driver.c
> >> +++ b/src/qemu_driver.c
> >> @@ -910,6 +910,7 @@ qemudOpenMonitorUnix(virConnectPtr conn,
> >>      memset(&addr, 0, sizeof(addr));
> >>      addr.sun_family = AF_UNIX;
> >>      strncpy(addr.sun_path, monitor, sizeof(addr.sun_path));
> >> +    NUL_TERMINATE(addr.sun_path);
> >>  
> >>      do {
> >>          ret = connect(monfd, (struct sockaddr *) &addr, sizeof(addr));
> > 
> > ACK, but this mistake is made in pretty much every use of unix 
> > domain sockets :-( Could you fix the others here too.
> > 
> > 
> > Clearly strncpy() is just unfit for purpose, and we should plan to banish
> > it in favour of a virStrncpy impl that guarnetees to add the trailing \0.
> 
> Yeah, true.  Despite the ACKs from you and markmc, I decided not to commit this
> yet.  It's quite a theoretical bug (you'd have to have
> /var/very/long/non-standard/paths/to/libvirt), so I don't think it's absolutely
> critical right now.  I'll convert the rest of the users, and possible come up
> with a make syntax-check rule to prevent against future use.

  Agreed, thanks ! Let's see with Dan if we can cook up a really clean
  solution,

    thanks !

Daniel

-- 
Daniel Veillard      | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
daniel veillard com  | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library  http://libvirt.org/


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]