[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH stable-0.15 29/36] vmdk: Fix possible segfaults
|
From: |
Andreas Färber |
|
Subject: |
[Qemu-devel] [PATCH stable-0.15 29/36] vmdk: Fix possible segfaults |
|
Date: |
Wed, 28 Mar 2012 14:52:32 +0200 |
From: Kevin Wolf <address@hidden>
Data we read from the disk isn't necessarily null terminated and may not
contain the string we're looking for. The code needs to be a bit more careful
here.
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 93897b9fd43548e9c15cf8bece2d9e5174b01fc7)
Signed-off-by: Bruce Rogers <address@hidden>
Signed-off-by: Andreas Färber <address@hidden>
---
block/vmdk.c | 7 ++++++-
1 files changed, 6 insertions(+), 1 deletions(-)
diff --git a/block/vmdk.c b/block/vmdk.c
index 8284747..f4fce08 100644
--- a/block/vmdk.c
+++ b/block/vmdk.c
@@ -196,6 +196,7 @@ static uint32_t vmdk_read_cid(BlockDriverState *bs, int
parent)
cid_str_size = sizeof("CID");
}
+ desc[DESC_SIZE - 1] = '\0';
p_name = strstr(desc, cid_str);
if (p_name != NULL) {
p_name += cid_str_size;
@@ -212,13 +213,17 @@ static int vmdk_write_cid(BlockDriverState *bs, uint32_t
cid)
BDRVVmdkState *s = bs->opaque;
int ret;
- memset(desc, 0, sizeof(desc));
ret = bdrv_pread(bs->file, s->desc_offset, desc, DESC_SIZE);
if (ret < 0) {
return ret;
}
+ desc[DESC_SIZE - 1] = '\0';
tmp_str = strstr(desc, "parentCID");
+ if (tmp_str == NULL) {
+ return -EINVAL;
+ }
+
pstrcpy(tmp_desc, sizeof(tmp_desc), tmp_str);
p_name = strstr(desc, "CID");
if (p_name != NULL) {
--
1.7.7
- [Qemu-devel] [PATCH stable-0.15 14/36] hw/lan9118.c: Add missing 'break' to fix buffer overrun, (continued)
- [Qemu-devel] [PATCH stable-0.15 14/36] hw/lan9118.c: Add missing 'break' to fix buffer overrun, Andreas Färber, 2012/03/28
- [Qemu-devel] [PATCH stable-0.15 18/36] block/curl: Implement a flush function on the fd handlers, Andreas Färber, 2012/03/28
- [Qemu-devel] [PATCH stable-0.15 05/36] e1000: bounds packet size against buffer size, Andreas Färber, 2012/03/28
- [Qemu-devel] [PATCH stable-0.15 20/36] hda: do not mix output and input stream states, RHBZ #740493, Andreas Färber, 2012/03/28
- [Qemu-devel] [PATCH stable-0.15 23/36] block: set bs->read_only before .bdrv_open(), Andreas Färber, 2012/03/28
- [Qemu-devel] [PATCH stable-0.15 12/36] migration: flush migration data to disk., Andreas Färber, 2012/03/28
- [Qemu-devel] [PATCH stable-0.15 27/36] block: reinitialize across bdrv_close()/bdrv_open(), Andreas Färber, 2012/03/28
- [Qemu-devel] [PATCH stable-0.15 21/36] Teach block/vdi about "discarded" (no longer allocated) blocks, Andreas Färber, 2012/03/28
- [Qemu-devel] [PATCH stable-0.15 17/36] vns/tls: don't use depricated gnutls functions, Andreas Färber, 2012/03/28
- [Qemu-devel] [PATCH stable-0.15 06/36] compatfd.c: Don't pass NULL pointer to SYS_signalfd, Andreas Färber, 2012/03/28
- [Qemu-devel] [PATCH stable-0.15 29/36] vmdk: Fix possible segfaults,
Andreas Färber <=
- [Qemu-devel] [PATCH stable-0.15 22/36] vmdk: Improve error handling, Andreas Färber, 2012/03/28
- [Qemu-devel] [PATCH stable-0.15 28/36] qxl: stride fixup, Andreas Färber, 2012/03/28
- [Qemu-devel] [PATCH stable-0.15 19/36] hda: do not mix output and input streams, RHBZ #740493, Andreas Färber, 2012/03/28
- [Qemu-devel] [PATCH stable-0.15 26/36] qcow: Fix bdrv_write_compressed error handling, Andreas Färber, 2012/03/28
- [Qemu-devel] [PATCH stable-0.15 33/36] pc: add pc-0.15, Andreas Färber, 2012/03/28
- [Qemu-devel] [PATCH stable-0.15 32/36] Error check find_ram_offset, Andreas Färber, 2012/03/28
- [Qemu-devel] [PATCH stable-0.15 31/36] cpu-common: Have a ram_addr_t of uint64 with Xen., Andreas Färber, 2012/03/28
- [Qemu-devel] [PATCH stable-0.15 34/36] pc: fix event_idx compatibility for virtio devices, Andreas Färber, 2012/03/28
- [Qemu-devel] [PATCH stable-0.15 36/36] qemu_vmalloc: align properly for transparent hugepages and KVM, Andreas Färber, 2012/03/28
- [Qemu-devel] [PATCH stable-0.15 24/36] console: Fix rendering of VGA underline, Andreas Färber, 2012/03/28