[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 2/2] pci-assign: Fix potential read beyond buffe
From: |
Peter Maydell |
Subject: |
Re: [Qemu-devel] [PATCH 2/2] pci-assign: Fix potential read beyond buffer on -EBUSY |
Date: |
Fri, 21 Feb 2014 16:55:20 +0000 |
On 21 February 2014 16:51, Peter Maydell <address@hidden> wrote:
> On 21 February 2014 16:42, Markus Armbruster <address@hidden> wrote:
>> readlink() doesn't write a terminating null byte.
>> assign_failed_examine() passes the unterminated string to strrchr().
>> Oops. Terminate it.
>>
>> Spotted by Coverity.
>>
>> Signed-off-by: Markus Armbruster <address@hidden>
>> ---
>> hw/i386/kvm/pci-assign.c | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/hw/i386/kvm/pci-assign.c b/hw/i386/kvm/pci-assign.c
>> index 9686801..a825871 100644
>> --- a/hw/i386/kvm/pci-assign.c
>> +++ b/hw/i386/kvm/pci-assign.c
>> @@ -743,6 +743,7 @@ static void assign_failed_examine(AssignedDevice *dev)
>> goto fail;
>> }
>>
>> + driver[r] = 0;
>
> This will write off the end of the buffer if readlink()
> filled it completely, won't it? I think you also need
> to change the readlink() 3rd argument to "sizeof(driver) - 1".
Apologies for this aspersion -- we check for
"r == sizeof(driver)" and bail out before we get here,
so the patch is ok.
Reviewed-by: Peter Maydell <address@hidden>
thanks
-- PMM