We first snprintf() to a fixed buffer, then g_strdup() the result
*boggle*.
Worse, the size of the fixed buffer INET6_ADDRSTRLEN + 5 + 4 is bogus:
the 4 correctly accounts for '[', ']', ':' and '\0', but
INET6_ADDRSTRLEN is not a suitable limit for inet->host, and 5 is not
one for inet->port! They are for host and port in *numeric* form
(exploiting that INET6_ADDRSTRLEN > INET_ADDRSTRLEN), but inet->host
can also be a hostname, and inet->port can be a service name, to be
resolved with getaddrinfo().
Fortunately, the only user so far is the "socket" network backend's
net_socket_connected(), which uses it to initialize a NetSocketState's
info_str[]. info_str[] has considerable more space: 256 instead of
55. So the bug's impact appears to be limited to truncated "info
networks" with the "socket" network backend.
The fix is obvious: use g_strdup_printf().
Signed-off-by: Markus Armbruster <armbru@redhat.com>
---
util/qemu-sockets.c | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/util/qemu-sockets.c b/util/qemu-sockets.c
index 7c120c4..40164bf 100644
--- a/util/qemu-sockets.c
+++ b/util/qemu-sockets.c
@@ -1307,19 +1307,14 @@ char *socket_address_to_string(struct SocketAddress *addr, Error **errp)
{
char *buf;
InetSocketAddress *inet;
- char host_port[INET6_ADDRSTRLEN + 5 + 4];
switch (addr->type) {
case SOCKET_ADDRESS_KIND_INET:
inet = addr->u.inet.data;
if (strchr(inet->host, ':') == NULL) {
- snprintf(host_port, sizeof(host_port), "%s:%s", inet->host,
- inet->port);
- buf = g_strdup(host_port);
+ buf = g_strdup_printf("%s:%s", inet->host, inet->port);
} else {
- snprintf(host_port, sizeof(host_port), "[%s]:%s", inet->host,
- inet->port);
- buf = g_strdup(host_port);
+ buf = g_strdup_printf("[%s]:%s", inet->host, inet->port);
}
break;
--
2.7.4
On 23/03/2017 12:23, Markus Armbruster wrote: > We first snprintf() to a fixed buffer, then g_strdup() the result > *boggle*. > > Worse, the size of the fixed buffer INET6_ADDRSTRLEN + 5 + 4 is bogus: > the 4 correctly accounts for '[', ']', ':' and '\0', but > INET6_ADDRSTRLEN is not a suitable limit for inet->host, and 5 is not > one for inet->port! They are for host and port in *numeric* form > (exploiting that INET6_ADDRSTRLEN > INET_ADDRSTRLEN), but inet->host > can also be a hostname, and inet->port can be a service name, to be > resolved with getaddrinfo(). > > Fortunately, the only user so far is the "socket" network backend's > net_socket_connected(), which uses it to initialize a NetSocketState's > info_str[]. info_str[] has considerable more space: 256 instead of > 55. So the bug's impact appears to be limited to truncated "info > networks" with the "socket" network backend. > > The fix is obvious: use g_strdup_printf(). > > Signed-off-by: Markus Armbruster <armbru@redhat.com> > --- > util/qemu-sockets.c | 9 ++------- > 1 file changed, 2 insertions(+), 7 deletions(-) > > diff --git a/util/qemu-sockets.c b/util/qemu-sockets.c > index 7c120c4..40164bf 100644 > --- a/util/qemu-sockets.c > +++ b/util/qemu-sockets.c > @@ -1307,19 +1307,14 @@ char *socket_address_to_string(struct SocketAddress *addr, Error **errp) > { > char *buf; > InetSocketAddress *inet; > - char host_port[INET6_ADDRSTRLEN + 5 + 4]; /me learnt about INET6_ADDRSTRLEN today. > switch (addr->type) { > case SOCKET_ADDRESS_KIND_INET: > inet = addr->u.inet.data; > if (strchr(inet->host, ':') == NULL) { > - snprintf(host_port, sizeof(host_port), "%s:%s", inet->host, > - inet->port); > - buf = g_strdup(host_port); > + buf = g_strdup_printf("%s:%s", inet->host, inet->port); > } else { > - snprintf(host_port, sizeof(host_port), "[%s]:%s", inet->host, > - inet->port); > - buf = g_strdup(host_port); > + buf = g_strdup_printf("[%s]:%s", inet->host, inet->port); > } > break; > > Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
On Thu, Mar 23, 2017 at 12:23:28PM +0100, Markus Armbruster wrote: > We first snprintf() to a fixed buffer, then g_strdup() the result > *boggle*. > > Worse, the size of the fixed buffer INET6_ADDRSTRLEN + 5 + 4 is bogus: > the 4 correctly accounts for '[', ']', ':' and '\0', but > INET6_ADDRSTRLEN is not a suitable limit for inet->host, and 5 is not > one for inet->port! They are for host and port in *numeric* form > (exploiting that INET6_ADDRSTRLEN > INET_ADDRSTRLEN), but inet->host > can also be a hostname, and inet->port can be a service name, to be > resolved with getaddrinfo(). > > Fortunately, the only user so far is the "socket" network backend's > net_socket_connected(), which uses it to initialize a NetSocketState's > info_str[]. info_str[] has considerable more space: 256 instead of > 55. So the bug's impact appears to be limited to truncated "info > networks" with the "socket" network backend. > > The fix is obvious: use g_strdup_printf(). > > Signed-off-by: Markus Armbruster <armbru@redhat.com> > --- > util/qemu-sockets.c | 9 ++------- > 1 file changed, 2 insertions(+), 7 deletions(-) Reviewed-by: Daniel P. Berrange <berrange@redhat.com> Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|
On 03/23/2017 08:23 AM, Markus Armbruster wrote: > We first snprintf() to a fixed buffer, then g_strdup() the result > *boggle*. > > Worse, the size of the fixed buffer INET6_ADDRSTRLEN + 5 + 4 is bogus: > the 4 correctly accounts for '[', ']', ':' and '\0', but > INET6_ADDRSTRLEN is not a suitable limit for inet->host, and 5 is not > one for inet->port! They are for host and port in *numeric* form > (exploiting that INET6_ADDRSTRLEN > INET_ADDRSTRLEN), but inet->host > can also be a hostname, and inet->port can be a service name, to be > resolved with getaddrinfo(). > > Fortunately, the only user so far is the "socket" network backend's > net_socket_connected(), which uses it to initialize a NetSocketState's > info_str[]. info_str[] has considerable more space: 256 instead of > 55. So the bug's impact appears to be limited to truncated "info > networks" with the "socket" network backend. > > The fix is obvious: use g_strdup_printf(). > > Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> > --- > util/qemu-sockets.c | 9 ++------- > 1 file changed, 2 insertions(+), 7 deletions(-) > > diff --git a/util/qemu-sockets.c b/util/qemu-sockets.c > index 7c120c4..40164bf 100644 > --- a/util/qemu-sockets.c > +++ b/util/qemu-sockets.c > @@ -1307,19 +1307,14 @@ char *socket_address_to_string(struct SocketAddress *addr, Error **errp) > { > char *buf; > InetSocketAddress *inet; > - char host_port[INET6_ADDRSTRLEN + 5 + 4]; > > switch (addr->type) { > case SOCKET_ADDRESS_KIND_INET: > inet = addr->u.inet.data; > if (strchr(inet->host, ':') == NULL) { > - snprintf(host_port, sizeof(host_port), "%s:%s", inet->host, > - inet->port); > - buf = g_strdup(host_port); > + buf = g_strdup_printf("%s:%s", inet->host, inet->port); > } else { > - snprintf(host_port, sizeof(host_port), "[%s]:%s", inet->host, > - inet->port); > - buf = g_strdup(host_port); > + buf = g_strdup_printf("[%s]:%s", inet->host, inet->port); > } > break; > >
© 2016 - 2024 Red Hat, Inc.