[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH for-1.4 01/12] qmp: Fix design bug and read beyo
From: |
Eric Blake |
Subject: |
Re: [Qemu-devel] [PATCH for-1.4 01/12] qmp: Fix design bug and read beyond buffer in memchar-write |
Date: |
Tue, 05 Feb 2013 10:31:56 -0700 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130110 Thunderbird/17.0.2 |
On 02/05/2013 09:22 AM, Markus Armbruster wrote:
> Command memchar-write takes data and size parameter. Begs the
> question what happens when data doesn't match size.
>
> With format base64, qmp_memchar_write() copies the full data argument,
> regardless of size argument.
>
> With format utf8, qmp_memchar_write() copies size bytes from data,
> happily reading beyond data. Copies crap from the heap or even
> crashes.
>
> Drop the size parameter, and always copy the full data argument.
>
> Signed-off-by: Markus Armbruster <address@hidden>
> ---
> hmp.c | 4 +---
> qapi-schema.json | 4 +---
> qemu-char.c | 8 +++-----
> qmp-commands.hx | 4 +---
> 4 files changed, 6 insertions(+), 14 deletions(-)
> if (has_format && (format == DATA_FORMAT_BASE64)) {
> write_data = g_base64_decode(data, &write_count);
> } else {
> write_data = (uint8_t *)data;
> + write_count = strlen(data);
> }
Obviously, base64 is the only way to write an embedded NUL. But what
happens if the user requests base64 encoding, but the utf8 string that
got passed in through JSON is not a valid base64-encoded string? Does
g_base64_decode report an error in that case, and should you be handling
the error here?
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
- Re: [Qemu-devel] [PATCH for-1.4 02/12] qmp: Clean up design of memchar-read, (continued)
- [Qemu-devel] [PATCH for-1.4 06/12] qmp: Drop wasteful zero-initialization in qmp_memchar_read(), Markus Armbruster, 2013/02/05
- [Qemu-devel] [PATCH for-1.4 07/12] qemu-char: Fix chardev "memory" not to drop IAC characters, Markus Armbruster, 2013/02/05
- [Qemu-devel] [PATCH for-1.4 05/12] qmp: Drop superfluous special case "empty" in qmp_memchar_read(), Markus Armbruster, 2013/02/05
- [Qemu-devel] [PATCH for-1.4 01/12] qmp: Fix design bug and read beyond buffer in memchar-write, Markus Armbruster, 2013/02/05
- Re: [Qemu-devel] [PATCH for-1.4 01/12] qmp: Fix design bug and read beyond buffer in memchar-write,
Eric Blake <=
- Re: [Qemu-devel] [PATCH for-1.4 01/12] qmp: Fix design bug and read beyond buffer in memchar-write, Markus Armbruster, 2013/02/05
- Re: [Qemu-devel] [PATCH for-1.4 01/12] qmp: Fix design bug and read beyond buffer in memchar-write, Markus Armbruster, 2013/02/06
- Re: [Qemu-devel] [PATCH for-1.4 01/12] qmp: Fix design bug and read beyond buffer in memchar-write, Luiz Capitulino, 2013/02/06
- Re: [Qemu-devel] [PATCH for-1.4 01/12] qmp: Fix design bug and read beyond buffer in memchar-write, Markus Armbruster, 2013/02/06
- Re: [Qemu-devel] [PATCH for-1.4 01/12] qmp: Fix design bug and read beyond buffer in memchar-write, Luiz Capitulino, 2013/02/06
- Re: [Qemu-devel] [PATCH for-1.4 01/12] qmp: Fix design bug and read beyond buffer in memchar-write, Peter Maydell, 2013/02/06
- Re: [Qemu-devel] [PATCH for-1.4 01/12] qmp: Fix design bug and read beyond buffer in memchar-write, Markus Armbruster, 2013/02/06
- Re: [Qemu-devel] [PATCH for-1.4 01/12] qmp: Fix design bug and read beyond buffer in memchar-write, mdroth, 2013/02/06
- Re: [Qemu-devel] [PATCH for-1.4 01/12] qmp: Fix design bug and read beyond buffer in memchar-write, Markus Armbruster, 2013/02/06
- Re: [Qemu-devel] [PATCH for-1.4 01/12] qmp: Fix design bug and read beyond buffer in memchar-write, mdroth, 2013/02/06