qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH v3 5/5] migration: Use strnlen() for fixed-size


From: Paolo Bonzini
Subject: Re: [Qemu-devel] [PATCH v3 5/5] migration: Use strnlen() for fixed-size string
Date: Tue, 18 Dec 2018 22:24:19 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.1

On 18/12/18 20:33, Eric Blake wrote:
>> diff --git a/migration/global_state.c b/migration/global_state.c
>> index 6e19333422..c19030ef62 100644
>> --- a/migration/global_state.c
>> +++ b/migration/global_state.c
>> @@ -106,7 +106,7 @@ static int global_state_pre_save(void *opaque)
>>       GlobalState *s = opaque;
>>         trace_migrate_global_state_pre_save((char *)s->runstate);
>> -    s->size = strlen((char *)s->runstate) + 1;
> 
> The old code sets s->size to the string length + space for the NUL byte
> (by assuming that a NUL byte was present), and accidentally sets it
> beyond the s->runstate array if there was no NUL byte (our existing
> runstate names are shorter than 100 bytes, so this could only happen on
> a malicious stream).

It cannot---this is a pre_save hook.  A possible overflow bug exists,
but it is in the call to qapi_enum_parse.

Paolo



reply via email to

[Prev in Thread] Current Thread [Next in Thread]