We first snprintf() to a fixed buffer, then g_strdup() the result
*boggle*.
Worse, the size of the fixed buffer INET6_ADDRSTRLEN + 5 + 4 is bogus:
the 4 correctly accounts for '[', ']', ':' and '\0', but
INET6_ADDRSTRLEN is not a suitable limit for inet->host, and 5 is not
one for inet->port! They are for host and port in *numeric* form
(exploiting that INET6_ADDRSTRLEN > INET_ADDRSTRLEN), but inet->host
can also be a hostname, and inet->port can be a service name, to be
resolved with getaddrinfo().
Fortunately, the only user so far is the "socket" network backend's
net_socket_connected(), which uses it to initialize a NetSocketState's
info_str[]. info_str[] has considerable more space: 256 instead of
55. So the bug's impact appears to be limited to truncated "info
networks" with the "socket" network backend.
The fix is obvious: use g_strdup_printf().
Signed-off-by: Markus Armbruster <armbru@redhat.com>
---
util/qemu-sockets.c | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/util/qemu-sockets.c b/util/qemu-sockets.c
index 7c120c4..40164bf 100644
--- a/util/qemu-sockets.c
+++ b/util/qemu-sockets.c
@@ -1307,19 +1307,14 @@ char *socket_address_to_string(struct SocketAddress *addr, Error **errp)
{
char *buf;
InetSocketAddress *inet;
- char host_port[INET6_ADDRSTRLEN + 5 + 4];
switch (addr->type) {
case SOCKET_ADDRESS_KIND_INET:
inet = addr->u.inet.data;
if (strchr(inet->host, ':') == NULL) {
- snprintf(host_port, sizeof(host_port), "%s:%s", inet->host,
- inet->port);
- buf = g_strdup(host_port);
+ buf = g_strdup_printf("%s:%s", inet->host, inet->port);
} else {
- snprintf(host_port, sizeof(host_port), "[%s]:%s", inet->host,
- inet->port);
- buf = g_strdup(host_port);
+ buf = g_strdup_printf("[%s]:%s", inet->host, inet->port);
}
break;
--
2.7.4
On 23/03/2017 12:23, Markus Armbruster wrote:
> We first snprintf() to a fixed buffer, then g_strdup() the result
> *boggle*.
>
> Worse, the size of the fixed buffer INET6_ADDRSTRLEN + 5 + 4 is bogus:
> the 4 correctly accounts for '[', ']', ':' and '\0', but
> INET6_ADDRSTRLEN is not a suitable limit for inet->host, and 5 is not
> one for inet->port! They are for host and port in *numeric* form
> (exploiting that INET6_ADDRSTRLEN > INET_ADDRSTRLEN), but inet->host
> can also be a hostname, and inet->port can be a service name, to be
> resolved with getaddrinfo().
>
> Fortunately, the only user so far is the "socket" network backend's
> net_socket_connected(), which uses it to initialize a NetSocketState's
> info_str[]. info_str[] has considerable more space: 256 instead of
> 55. So the bug's impact appears to be limited to truncated "info
> networks" with the "socket" network backend.
>
> The fix is obvious: use g_strdup_printf().
>
> Signed-off-by: Markus Armbruster <armbru@redhat.com>
> ---
> util/qemu-sockets.c | 9 ++-------
> 1 file changed, 2 insertions(+), 7 deletions(-)
>
> diff --git a/util/qemu-sockets.c b/util/qemu-sockets.c
> index 7c120c4..40164bf 100644
> --- a/util/qemu-sockets.c
> +++ b/util/qemu-sockets.c
> @@ -1307,19 +1307,14 @@ char *socket_address_to_string(struct SocketAddress *addr, Error **errp)
> {
> char *buf;
> InetSocketAddress *inet;
> - char host_port[INET6_ADDRSTRLEN + 5 + 4];
/me learnt about INET6_ADDRSTRLEN today.
> switch (addr->type) {
> case SOCKET_ADDRESS_KIND_INET:
> inet = addr->u.inet.data;
> if (strchr(inet->host, ':') == NULL) {
> - snprintf(host_port, sizeof(host_port), "%s:%s", inet->host,
> - inet->port);
> - buf = g_strdup(host_port);
> + buf = g_strdup_printf("%s:%s", inet->host, inet->port);
> } else {
> - snprintf(host_port, sizeof(host_port), "[%s]:%s", inet->host,
> - inet->port);
> - buf = g_strdup(host_port);
> + buf = g_strdup_printf("[%s]:%s", inet->host, inet->port);
> }
> break;
>
>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
On Thu, Mar 23, 2017 at 12:23:28PM +0100, Markus Armbruster wrote: > We first snprintf() to a fixed buffer, then g_strdup() the result > *boggle*. > > Worse, the size of the fixed buffer INET6_ADDRSTRLEN + 5 + 4 is bogus: > the 4 correctly accounts for '[', ']', ':' and '\0', but > INET6_ADDRSTRLEN is not a suitable limit for inet->host, and 5 is not > one for inet->port! They are for host and port in *numeric* form > (exploiting that INET6_ADDRSTRLEN > INET_ADDRSTRLEN), but inet->host > can also be a hostname, and inet->port can be a service name, to be > resolved with getaddrinfo(). > > Fortunately, the only user so far is the "socket" network backend's > net_socket_connected(), which uses it to initialize a NetSocketState's > info_str[]. info_str[] has considerable more space: 256 instead of > 55. So the bug's impact appears to be limited to truncated "info > networks" with the "socket" network backend. > > The fix is obvious: use g_strdup_printf(). > > Signed-off-by: Markus Armbruster <armbru@redhat.com> > --- > util/qemu-sockets.c | 9 ++------- > 1 file changed, 2 insertions(+), 7 deletions(-) Reviewed-by: Daniel P. Berrange <berrange@redhat.com> Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|
On 03/23/2017 08:23 AM, Markus Armbruster wrote:
> We first snprintf() to a fixed buffer, then g_strdup() the result
> *boggle*.
>
> Worse, the size of the fixed buffer INET6_ADDRSTRLEN + 5 + 4 is bogus:
> the 4 correctly accounts for '[', ']', ':' and '\0', but
> INET6_ADDRSTRLEN is not a suitable limit for inet->host, and 5 is not
> one for inet->port! They are for host and port in *numeric* form
> (exploiting that INET6_ADDRSTRLEN > INET_ADDRSTRLEN), but inet->host
> can also be a hostname, and inet->port can be a service name, to be
> resolved with getaddrinfo().
>
> Fortunately, the only user so far is the "socket" network backend's
> net_socket_connected(), which uses it to initialize a NetSocketState's
> info_str[]. info_str[] has considerable more space: 256 instead of
> 55. So the bug's impact appears to be limited to truncated "info
> networks" with the "socket" network backend.
>
> The fix is obvious: use g_strdup_printf().
>
> Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> ---
> util/qemu-sockets.c | 9 ++-------
> 1 file changed, 2 insertions(+), 7 deletions(-)
>
> diff --git a/util/qemu-sockets.c b/util/qemu-sockets.c
> index 7c120c4..40164bf 100644
> --- a/util/qemu-sockets.c
> +++ b/util/qemu-sockets.c
> @@ -1307,19 +1307,14 @@ char *socket_address_to_string(struct SocketAddress *addr, Error **errp)
> {
> char *buf;
> InetSocketAddress *inet;
> - char host_port[INET6_ADDRSTRLEN + 5 + 4];
>
> switch (addr->type) {
> case SOCKET_ADDRESS_KIND_INET:
> inet = addr->u.inet.data;
> if (strchr(inet->host, ':') == NULL) {
> - snprintf(host_port, sizeof(host_port), "%s:%s", inet->host,
> - inet->port);
> - buf = g_strdup(host_port);
> + buf = g_strdup_printf("%s:%s", inet->host, inet->port);
> } else {
> - snprintf(host_port, sizeof(host_port), "[%s]:%s", inet->host,
> - inet->port);
> - buf = g_strdup(host_port);
> + buf = g_strdup_printf("[%s]:%s", inet->host, inet->port);
> }
> break;
>
>
© 2016 - 2026 Red Hat, Inc.