[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v3 5/5] migration: Use strnlen() for fixed-size
|
From: |
Paolo Bonzini |
|
Subject: |
Re: [Qemu-devel] [PATCH v3 5/5] migration: Use strnlen() for fixed-size string |
|
Date: |
Tue, 18 Dec 2018 22:24:19 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.1 |
On 18/12/18 20:33, Eric Blake wrote:
>> diff --git a/migration/global_state.c b/migration/global_state.c
>> index 6e19333422..c19030ef62 100644
>> --- a/migration/global_state.c
>> +++ b/migration/global_state.c
>> @@ -106,7 +106,7 @@ static int global_state_pre_save(void *opaque)
>> GlobalState *s = opaque;
>> trace_migrate_global_state_pre_save((char *)s->runstate);
>> - s->size = strlen((char *)s->runstate) + 1;
>
> The old code sets s->size to the string length + space for the NUL byte
> (by assuming that a NUL byte was present), and accidentally sets it
> beyond the s->runstate array if there was no NUL byte (our existing
> runstate names are shorter than 100 bytes, so this could only happen on
> a malicious stream).
It cannot---this is a pre_save hook. A possible overflow bug exists,
but it is in the call to qapi_enum_parse.
Paolo