[libvirt] [PATCH] qemu: avoid text monitor null deref

Eric Blake eblake at redhat.com
Thu Oct 13 00:21:37 UTC 2011


Detected by Coverity.  If, for some reason, our text monitor input
does not match our assumptions, we end up incrementing p while it
is NULL, then dereferencing the pointer 0x1, which will fault.

* src/qemu/qemu_monitor_text.c
(qemuMonitorTextGetBlockStatsParamsNumber): Rewrite to avoid
deref of strchr failure.  Fix indentation.
---
 src/qemu/qemu_monitor_text.c |   33 +++++++++++++++------------------
 1 files changed, 15 insertions(+), 18 deletions(-)

diff --git a/src/qemu/qemu_monitor_text.c b/src/qemu/qemu_monitor_text.c
index 51e8c5c..1eb9846 100644
--- a/src/qemu/qemu_monitor_text.c
+++ b/src/qemu/qemu_monitor_text.c
@@ -1036,26 +1036,23 @@ int qemuMonitorTextGetBlockStatsParamsNumber(qemuMonitorPtr mon,
      * "floppy0: ")
      */
     p = strchr(p, ' ');
-    p++;

-    while (*p) {
-            if (STRPREFIX (p, "rd_bytes=") ||
-                STRPREFIX (p, "wr_bytes=") ||
-                STRPREFIX (p, "rd_operations=") ||
-                STRPREFIX (p, "wr_operations=") ||
-                STRPREFIX (p, "rd_total_times_ns=") ||
-                STRPREFIX (p, "wr_total_times_ns=") ||
-                STRPREFIX (p, "flush_operations=") ||
-                STRPREFIX (p, "flush_total_times_ns=")) {
-                num++;
-            } else {
-                VIR_DEBUG ("unknown block stat near %s", p);
-            }
+    while (p && p < eol) {
+        if (STRPREFIX (p, " rd_bytes=") ||
+            STRPREFIX (p, " wr_bytes=") ||
+            STRPREFIX (p, " rd_operations=") ||
+            STRPREFIX (p, " wr_operations=") ||
+            STRPREFIX (p, " rd_total_times_ns=") ||
+            STRPREFIX (p, " wr_total_times_ns=") ||
+            STRPREFIX (p, " flush_operations=") ||
+            STRPREFIX (p, " flush_total_times_ns=")) {
+            num++;
+        } else {
+            VIR_DEBUG ("unknown block stat near %s", p);
+        }

-            /* Skip to next label. */
-            p = strchr (p, ' ');
-            if (!p || p >= eol) break;
-            p++;
+        /* Skip to next label. */
+        p = strchr(p + 1, ' ');
     }

     *nparams = num;
-- 
1.7.4.4




More information about the libvir-list mailing list