[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH for-1.4 v2 01/13] qmp: Fix design bug and read beyon
|
From: |
Markus Armbruster |
|
Subject: |
[Qemu-devel] [PATCH for-1.4 v2 01/13] qmp: Fix design bug and read beyond buffer in memchar-write |
|
Date: |
Wed, 6 Feb 2013 21:27:14 +0100 |
Command memchar-write takes data and size parameter. Begs the
question what happens when data doesn't match size.
With format base64, qmp_memchar_write() copies the full data argument,
regardless of size argument.
With format utf8, qmp_memchar_write() copies size bytes from data,
happily reading beyond data. Copies crap from the heap or even
crashes.
Drop the size parameter, and always copy the full data argument.
Signed-off-by: Markus Armbruster <address@hidden>
---
hmp.c | 4 +---
qapi-schema.json | 4 +---
qemu-char.c | 8 +++-----
qmp-commands.hx | 4 +---
4 files changed, 6 insertions(+), 14 deletions(-)
diff --git a/hmp.c b/hmp.c
index 1689e6f..9fdf1ce 100644
--- a/hmp.c
+++ b/hmp.c
@@ -664,13 +664,11 @@ void hmp_pmemsave(Monitor *mon, const QDict *qdict)
void hmp_memchar_write(Monitor *mon, const QDict *qdict)
{
- uint32_t size;
const char *chardev = qdict_get_str(qdict, "device");
const char *data = qdict_get_str(qdict, "data");
Error *errp = NULL;
- size = strlen(data);
- qmp_memchar_write(chardev, size, data, false, 0, &errp);
+ qmp_memchar_write(chardev, data, false, 0, &errp);
hmp_handle_error(mon, &errp);
}
diff --git a/qapi-schema.json b/qapi-schema.json
index cdd8384..9e2cbbd 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
@@ -346,8 +346,6 @@
#
# @device: the name of the memory char device.
#
-# @size: the size to write in bytes.
-#
# @data: the source data write to memchar.
#
# @format: #optional the format of the data write to chardev 'memory',
@@ -359,7 +357,7 @@
# Since: 1.4
##
{ 'command': 'memchar-write',
- 'data': {'device': 'str', 'size': 'int', 'data': 'str',
+ 'data': {'device': 'str', 'data': 'str',
'*format': 'DataFormat'} }
##
diff --git a/qemu-char.c b/qemu-char.c
index ac5d62d..9c1dd13 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -2753,9 +2753,8 @@ static bool qemu_is_chr(const CharDriverState *chr, const
char *filename)
return strcmp(chr->filename, filename);
}
-void qmp_memchar_write(const char *device, int64_t size,
- const char *data, bool has_format,
- enum DataFormat format,
+void qmp_memchar_write(const char *device, const char *data,
+ bool has_format, enum DataFormat format,
Error **errp)
{
CharDriverState *chr;
@@ -2774,12 +2773,11 @@ void qmp_memchar_write(const char *device, int64_t size,
return;
}
- write_count = (gsize)size;
-
if (has_format && (format == DATA_FORMAT_BASE64)) {
write_data = g_base64_decode(data, &write_count);
} else {
write_data = (uint8_t *)data;
+ write_count = strlen(data);
}
ret = cirmem_chr_write(chr, write_data, write_count);
diff --git a/qmp-commands.hx b/qmp-commands.hx
index bbb21f3..8468f10 100644
--- a/qmp-commands.hx
+++ b/qmp-commands.hx
@@ -467,7 +467,7 @@ EQMP
{
.name = "memchar-write",
- .args_type = "device:s,size:i,data:s,format:s?",
+ .args_type = "device:s,data:s,format:s?",
.mhandler.cmd_new = qmp_marshal_input_memchar_write,
},
@@ -481,7 +481,6 @@ char device.
Arguments:
- "device": the name of the char device, must be unique (json-string)
-- "size": the memory size, in bytes, should be power of 2 (json-int)
- "data": the source data write to memory (json-string)
- "format": the data format write to memory, default is
utf8. (json-string, optional)
@@ -491,7 +490,6 @@ Example:
-> { "execute": "memchar-write",
"arguments": { "device": foo,
- "size": 8,
"data": "abcdefgh",
"format": "utf8" } }
<- { "return": {} }
--
1.7.11.7
- [Qemu-devel] [PATCH for-1.4 v2 04/13] qmp: Clean up type usage in qmp_memchar_write(), qmp_memchar_read(), (continued)
- [Qemu-devel] [PATCH for-1.4 v2 04/13] qmp: Clean up type usage in qmp_memchar_write(), qmp_memchar_read(), Markus Armbruster, 2013/02/06
- [Qemu-devel] [PATCH for-1.4 v2 03/13] qmp: Use generic errors in memchar-read, memchar-write, Markus Armbruster, 2013/02/06
- [Qemu-devel] [PATCH for-1.4 v2 08/13] qemu-char: Fix chardev "memory" not to drop IAC characters, Markus Armbruster, 2013/02/06
- [Qemu-devel] [PATCH for-1.4 v2 13/13] hmp: make memchar-read escape ASCII control chars except \n and \t, Markus Armbruster, 2013/02/06
- [Qemu-devel] [PATCH for-1.4 v2 07/13] qmp: Drop wasteful zero-initialization in qmp_memchar_read(), Markus Armbruster, 2013/02/06
- [Qemu-devel] [PATCH for-1.4 v2 12/13] qemu-char: Support suffixed ringbuf size arguments like "size=64K", Markus Armbruster, 2013/02/06
- [Qemu-devel] [PATCH for-1.4 v2 06/13] qmp: Drop superfluous special case "empty" in qmp_memchar_read(), Markus Armbruster, 2013/02/06
- [Qemu-devel] [PATCH for-1.4 v2 05/13] qmp: Plug memory leaks in memchar-write, memchar-read, Markus Armbruster, 2013/02/06
- [Qemu-devel] [PATCH for-1.4 v2 10/13] qemu-char: General chardev "memory" code cleanup, Markus Armbruster, 2013/02/06
- [Qemu-devel] [PATCH for-1.4 v2 02/13] qmp: Clean up design of memchar-read, Markus Armbruster, 2013/02/06
- [Qemu-devel] [PATCH for-1.4 v2 01/13] qmp: Fix design bug and read beyond buffer in memchar-write,
Markus Armbruster <=
- [Qemu-devel] [PATCH for-1.4 v2 11/13] qemu-char: Saner naming of memchar stuff & doc fixes, Markus Armbruster, 2013/02/06
- [Qemu-devel] [PATCH for-1.4 v2 09/13] qemu-char: Drop undocumented chardev "memory" compatibility syntax, Markus Armbruster, 2013/02/06
- Re: [Qemu-devel] [PATCH for-1.4 v2 00/13] Rework ring buffer chardev before API calcifies, Eric Blake, 2013/02/06
- Re: [Qemu-devel] [PATCH for-1.4 v2 00/13] Rework ring buffer chardev before API calcifies, Anthony Liguori, 2013/02/06