[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] usb: fix serial generator
|
From: |
Eric Blake |
|
Subject: |
Re: [Qemu-devel] [PATCH] usb: fix serial generator |
|
Date: |
Wed, 5 Oct 2016 08:14:55 -0500 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 |
On 10/05/2016 04:33 AM, Gerd Hoffmann wrote:
> snprintf return value is *not* the number of chars written into the
> buffer, but the number of chars needed. So in case the buffer is too
> small you can go alloc a bigger one and try again. But that also means
> you can't simply use the return value for the next snprintf call
> without checking beforehand that things did actually fit.
>
> Problem is that usb_desc_create_serial didn't perform that check, so a
> loooong path string (can happen with deep pci-bridge nesting) results in
> the third snprintf call smashing the stack.
Is this exploitable enough to need a CVE?
>
> Fix this by throwing out all the snpintf calls and use g_strdup_printf
s/snpintf/snprintf/
> instead.
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1381630
>
> Reported-by: Thomas Huth <address@hidden>
> Signed-off-by: Gerd Hoffmann <address@hidden>
> ---
> hw/usb/desc.c | 12 ++++++------
> 1 file changed, 6 insertions(+), 6 deletions(-)
Reviewed-by: Eric Blake <address@hidden>
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature