1. Patchew
  2. QEMU
  3. View series

[PATCH for-8.0] ui/vnc: fix bad address parsing

Vladimir Sementsov-Ogievskiy posted 1 patch 1 year, 4 months ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20221206192334.65012-1-vsementsov@yandex-team.ru
Maintainers: Gerd Hoffmann <kraxel@redhat.com>
ui/vnc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH for-8.0] ui/vnc: fix bad address parsing
Posted by Vladimir Sementsov-Ogievskiy 1 year, 4 months ago 
IF addrstr == "[" and websocket is true, hostlen becomes 0 and we try
to access addrstr[hostlen-1] which is bad idea.

Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
---
 ui/vnc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ui/vnc.c b/ui/vnc.c
index 88f55cbf3c..8830bfe382 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -3765,7 +3765,7 @@ static int vnc_display_get_address(const char *addrstr,
 
         addr->type = SOCKET_ADDRESS_TYPE_INET;
         inet = &addr->u.inet;
-        if (addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
+        if (hostlen >= 2 && addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
             inet->host = g_strndup(addrstr + 1, hostlen - 2);
         } else {
             inet->host = g_strndup(addrstr, hostlen);
-- 
2.34.1
Re: [PATCH for-8.0] ui/vnc: fix bad address parsing
Posted by Philippe Mathieu-Daudé 1 year, 4 months ago 
On 6/12/22 20:23, Vladimir Sementsov-Ogievskiy wrote:
> IF addrstr == "[" and websocket is true, hostlen becomes 0 and we try
> to access addrstr[hostlen-1] which is bad idea.
> 
> Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
> ---
>   ui/vnc.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/ui/vnc.c b/ui/vnc.c
> index 88f55cbf3c..8830bfe382 100644
> --- a/ui/vnc.c
> +++ b/ui/vnc.c
> @@ -3765,7 +3765,7 @@ static int vnc_display_get_address(const char *addrstr,
>   
>           addr->type = SOCKET_ADDRESS_TYPE_INET;
>           inet = &addr->u.inet;
> -        if (addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
> +        if (hostlen >= 2 && addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
>               inet->host = g_strndup(addrstr + 1, hostlen - 2);
>           } else {
>               inet->host = g_strndup(addrstr, hostlen);

If addrstr is "[" then inet->host ends up being "[" too now, right?

I was pretty sure we had a helper for that, but can't find any.
Re: [PATCH for-8.0] ui/vnc: fix bad address parsing
Posted by Vladimir Sementsov-Ogievskiy 1 year, 3 months ago 
On 12/6/22 23:12, Philippe Mathieu-Daudé wrote:
> I was pretty sure we had a helper for that, but can't find any.


is uri_parse() from util/uri.c appropriate?

-- 
Best regards,
Vladimir
Re: [PATCH for-8.0] ui/vnc: fix bad address parsing
Posted by Vladimir Sementsov-Ogievskiy 1 year, 4 months ago 
On 12/6/22 23:12, Philippe Mathieu-Daudé wrote:
> On 6/12/22 20:23, Vladimir Sementsov-Ogievskiy wrote:
>> IF addrstr == "[" and websocket is true, hostlen becomes 0 and we try
>> to access addrstr[hostlen-1] which is bad idea.
>>
>> Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
>> ---
>>   ui/vnc.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/ui/vnc.c b/ui/vnc.c
>> index 88f55cbf3c..8830bfe382 100644
>> --- a/ui/vnc.c
>> +++ b/ui/vnc.c
>> @@ -3765,7 +3765,7 @@ static int vnc_display_get_address(const char *addrstr,
>>           addr->type = SOCKET_ADDRESS_TYPE_INET;
>>           inet = &addr->u.inet;
>> -        if (addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
>> +        if (hostlen >= 2 && addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
>>               inet->host = g_strndup(addrstr + 1, hostlen - 2);
>>           } else {
>>               inet->host = g_strndup(addrstr, hostlen);
> 
> If addrstr is "[" then inet->host ends up being "[" too now, right?
> 
> I was pretty sure we had a helper for that, but can't find any.

that's all a bit strange, let's add a bit of debugging:
diff --git a/ui/vnc.c b/ui/vnc.c
index 88f55cbf3c..b1d463e67a 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -3770,6 +3770,7 @@ static int vnc_display_get_address(const char *addrstr,
          } else {
              inet->host = g_strndup(addrstr, hostlen);
          }
+        printf("%s: websocket: %d, host: %s, port: %s\n", __func__, websocket, inet->host, port);
          /* plain VNC port is just an offset, for websocket
           * port is absolute */
          if (websocket) {


then:



./build/qemu-system-x86_64 -vnc [
qemu-system-x86_64: -vnc [: no vnc port specified


./build/qemu-system-x86_64 -vnc [,websocket
qemu-system-x86_64: -vnc [,websocket: warning: short-form boolean option 'websocket' deprecated
Please use websocket=on instead
qemu-system-x86_64: -vnc [,websocket: no vnc port specified



./build/qemu-system-x86_64 -vnc [:0,websocket
qemu-system-x86_64: -vnc [:0,websocket: warning: short-form boolean option 'websocket' deprecated
Please use websocket=on instead
vnc_display_get_address: websocket: 0, host: [, port: 0
vnc_display_get_address: websocket: 1, host: , port: on
qemu-system-x86_64: -vnc [:0,websocket: address resolution failed for [:5900: Name or service not known

./build/qemu-system-x86_64 -vnc [:0,websocket=on
vnc_display_get_address: websocket: 0, host: [, port: 0
vnc_display_get_address: websocket: 1, host: , port: on
qemu-system-x86_64: -vnc [:0,websocket=on: address resolution failed for [:5900: Name or service not known


so, "on" is treated as address string? (aha, that's OK, and it's parsed later in the code)

./build/qemu-system-x86_64 -vnc :0,websocket=[
vnc_display_get_address: websocket: 0, host: , port: 0
we are going to do bad thing!
vnc_display_get_address: websocket: 1, host: , port: [
qemu-system-x86_64: -vnc :0,websocket=[: address resolution failed for :[: Servname not supported for ai_socktype


-- 
Best regards,
Vladimir

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.