1. Patchew
  2. QEMU
  3. [Qemu-devel] [PATCH 00/18] nbd: BLOCK_STATUS
  4. View patch

[Qemu-devel] [PATCH 05/18] nbd/client: fix drop_sync

Vladimir Sementsov-Ogievskiy posted 18 patches 9 years ago
[Qemu-devel] [PATCH 05/18] nbd/client: fix drop_sync
Posted by Vladimir Sementsov-Ogievskiy 9 years ago 
Comparison symbol is misused. It may lead to memory corruption.

Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
---
 nbd/client.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nbd/client.c b/nbd/client.c
index 6caf6bda6d..351731bc63 100644
--- a/nbd/client.c
+++ b/nbd/client.c
@@ -94,7 +94,7 @@ static ssize_t drop_sync(QIOChannel *ioc, size_t size)
     char small[1024];
     char *buffer;
 
-    buffer = sizeof(small) < size ? small : g_malloc(MIN(65536, size));
+    buffer = sizeof(small) > size ? small : g_malloc(MIN(65536, size));
     while (size > 0) {
         ssize_t count = read_sync(ioc, buffer, MIN(65536, size));
 
-- 
2.11.0
Re: [Qemu-devel] [PATCH 05/18] nbd/client: fix drop_sync
Posted by Eric Blake 9 years ago 
On 02/03/2017 09:47 AM, Vladimir Sementsov-Ogievskiy wrote:
> Comparison symbol is misused. It may lead to memory corruption.
> 
> Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
> ---
>  nbd/client.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Adding qemu-stable; this needs to be back-ported, and can be applied
independently from your series.

Reviewed-by: Eric Blake <eblake@redhat.com>

> 
> diff --git a/nbd/client.c b/nbd/client.c
> index 6caf6bda6d..351731bc63 100644
> --- a/nbd/client.c
> +++ b/nbd/client.c
> @@ -94,7 +94,7 @@ static ssize_t drop_sync(QIOChannel *ioc, size_t size)
>      char small[1024];
>      char *buffer;
>  
> -    buffer = sizeof(small) < size ? small : g_malloc(MIN(65536, size));
> +    buffer = sizeof(small) > size ? small : g_malloc(MIN(65536, size));
>      while (size > 0) {
>          ssize_t count = read_sync(ioc, buffer, MIN(65536, size));
>  
> 

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org
Re: [Qemu-devel] [PATCH 05/18] nbd/client: fix drop_sync
Posted by Eric Blake 8 years, 11 months ago 
On 02/06/2017 05:17 PM, Eric Blake wrote:
> On 02/03/2017 09:47 AM, Vladimir Sementsov-Ogievskiy wrote:
>> Comparison symbol is misused. It may lead to memory corruption.
>>
>> Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
>> ---
>>  nbd/client.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> Adding qemu-stable; this needs to be back-ported, and can be applied
> independently from your series.
> 
> Reviewed-by: Eric Blake <eblake@redhat.com>

For the record, this is now assigned CVE-2017-2630.  My apologies for
introducing the bug in the first place (commit 7d3123e).  The maintainer
may want to touch up the commit message to give those further details,
since it is security-related.

> 
>>
>> diff --git a/nbd/client.c b/nbd/client.c
>> index 6caf6bda6d..351731bc63 100644
>> --- a/nbd/client.c
>> +++ b/nbd/client.c
>> @@ -94,7 +94,7 @@ static ssize_t drop_sync(QIOChannel *ioc, size_t size)
>>      char small[1024];
>>      char *buffer;
>>  
>> -    buffer = sizeof(small) < size ? small : g_malloc(MIN(65536, size));
>> +    buffer = sizeof(small) > size ? small : g_malloc(MIN(65536, size));
>>      while (size > 0) {
>>          ssize_t count = read_sync(ioc, buffer, MIN(65536, size));
>>  
>>
> 

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.