[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] hmp: avoid redundant null termination of buffer
|
From: |
刘令 |
|
Subject: |
Re: [Qemu-devel] [PATCH] hmp: avoid redundant null termination of buffer |
|
Date: |
Fri, 18 Dec 2015 03:46:17 +0000 |
Hello Prasad,
Can you give this a cve id?
Thank you.
-----Original Message-----
From: P J P [mailto:address@hidden
Sent: Thursday, December 17, 2015 8:41 PM
To: address@hidden
Cc: 刘令
Subject: [PATCH] hmp: avoid redundant null termination of buffer
Hello,
An OOB write issue was reported by Mr Ling Liu, CC'd here. It occurs while
processing the 'sendkey' command, if the command argument was longer than the
'keyname_buf[16]' buffer.
===
From b0363f4c0e91671064dd7ffece8a6923c8dcaf20 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <address@hidden>
Date: Thu, 17 Dec 2015 17:47:15 +0530
Subject: [PATCH] hmp: avoid redundant null termination of buffer
When processing 'sendkey' command, hmp_sendkey routine null terminates the
'keyname_buf' array. This results in an OOB write issue, if 'keyname_len' was
to fall outside of 'keyname_buf' array.
Removed the redundant null termination, as pstrcpy routine already null
terminates the target buffer.
Reported-by: Ling Liu <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hmp.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/hmp.c b/hmp.c
index 2140605..e530c9c 100644
--- a/hmp.c
+++ b/hmp.c
@@ -1746,9 +1746,7 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict)
/* Be compatible with old interface, convert user inputted "<" */
if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) {
pstrcpy(keyname_buf, sizeof(keyname_buf), "less");
- keyname_len = 4;
}
- keyname_buf[keyname_len] = 0;
keylist = g_malloc0(sizeof(*keylist));
keylist->value = g_malloc0(sizeof(*keylist->value));
--
2.4.3
===
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053
DD13 3D32 FE5B 041F