From nobody Wed Nov 5 02:14:28 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1501005742086421.1437518939256; Tue, 25 Jul 2017 11:02:22 -0700 (PDT) Received: from localhost ([::1]:33886 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1da49z-0003NT-72 for importer@patchew.org; Tue, 25 Jul 2017 14:02:19 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:56700) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1da46r-0000zM-N9 for qemu-devel@nongnu.org; Tue, 25 Jul 2017 13:59:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1da46o-00013c-NB for qemu-devel@nongnu.org; Tue, 25 Jul 2017 13:59:05 -0400 Received: from 3.mo5.mail-out.ovh.net ([46.105.40.108]:34550) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1da46o-00013F-GI for qemu-devel@nongnu.org; Tue, 25 Jul 2017 13:59:02 -0400 Received: from player760.ha.ovh.net (b6.ovh.net [213.186.33.56]) by mo5.mail-out.ovh.net (Postfix) with ESMTP id 20FB911641E for ; Tue, 25 Jul 2017 19:59:01 +0200 (CEST) Received: from [192.168.0.243] (gar31-1-82-66-74-139.fbx.proxad.net [82.66.74.139]) (Authenticated sender: groug@kaod.org) by player760.ha.ovh.net (Postfix) with ESMTPA id AB99020067; Tue, 25 Jul 2017 19:58:53 +0200 (CEST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Tue, 25 Jul 2017 19:58:53 +0200 Message-ID: <150100553345.27487.10049014405920351882.stgit@bahia> In-Reply-To: <150100547373.27487.3154210751350595400.stgit@bahia> References: <150100547373.27487.3154210751350595400.stgit@bahia> User-Agent: StGit/0.17.1-20-gc0b1b-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Ovh-Tracer-Id: 9720175371932047833 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: -100 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrfeelkedrheehgdduvddtucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddm X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 46.105.40.108 Subject: [Qemu-devel] [for-2.11 PATCH 04/26] spapr_drc: use g_strdup_printf() instead of snprintf() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "Michael S. Tsirkin" , Michael Roth , qemu-ppc@nongnu.org, Bharata B Rao , Paolo Bonzini , Daniel Henrique Barboza , David Gibson Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Passing a stack allocated buffer of arbitrary length to snprintf() without checking the return value can cause the resultant strings to be silently truncated. Signed-off-by: Greg Kurz --- hw/ppc/spapr_drc.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/hw/ppc/spapr_drc.c b/hw/ppc/spapr_drc.c index 15bae5c216a9..e4e8383ec7b5 100644 --- a/hw/ppc/spapr_drc.c +++ b/hw/ppc/spapr_drc.c @@ -488,7 +488,7 @@ static void realize(DeviceState *d, Error **errp) { sPAPRDRConnector *drc =3D SPAPR_DR_CONNECTOR(d); Object *root_container; - char link_name[256]; + gchar *link_name; gchar *child_name; Error *err =3D NULL; =20 @@ -501,11 +501,12 @@ static void realize(DeviceState *d, Error **errp) * existing in the composition tree */ root_container =3D container_get(object_get_root(), DRC_CONTAINER_PATH= ); - snprintf(link_name, sizeof(link_name), "%x", spapr_drc_index(drc)); + link_name =3D g_strdup_printf("%x", spapr_drc_index(drc)); child_name =3D object_get_canonical_path_component(OBJECT(drc)); trace_spapr_drc_realize_child(spapr_drc_index(drc), child_name); object_property_add_alias(root_container, link_name, drc->owner, child_name, &err); + g_free(link_name); if (err) { error_report_err(err); object_unref(OBJECT(drc)); @@ -521,13 +522,14 @@ static void unrealize(DeviceState *d, Error **errp) { sPAPRDRConnector *drc =3D SPAPR_DR_CONNECTOR(d); Object *root_container; - char name[256]; + gchar *name; Error *err =3D NULL; =20 trace_spapr_drc_unrealize(spapr_drc_index(drc)); root_container =3D container_get(object_get_root(), DRC_CONTAINER_PATH= ); - snprintf(name, sizeof(name), "%x", spapr_drc_index(drc)); + name =3D g_strdup_printf("%x", spapr_drc_index(drc)); object_property_del(root_container, name, &err); + g_free(name); if (err) { error_report_err(err); object_unref(OBJECT(drc)); @@ -729,10 +731,11 @@ static const TypeInfo spapr_drc_lmb_info =3D { sPAPRDRConnector *spapr_drc_by_index(uint32_t index) { Object *obj; - char name[256]; + gchar *name; =20 - snprintf(name, sizeof(name), "%s/%x", DRC_CONTAINER_PATH, index); + name =3D g_strdup_printf("%s/%x", DRC_CONTAINER_PATH, index); obj =3D object_resolve_path(name, NULL); + g_free(name); =20 return !obj ? NULL : SPAPR_DR_CONNECTOR(obj); }