[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 1/1 v4] Allow machines to configure the QEMU_VER
From: |
Eric Blake |
Subject: |
Re: [Qemu-devel] [PATCH 1/1 v4] Allow machines to configure the QEMU_VERSION that's exposed via hardware |
Date: |
Wed, 23 May 2012 10:11:40 -0600 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1 |
On 05/23/2012 10:08 AM, Crístian Viana wrote:
>> So when you posted the previous version of your patch it was pointed
>> out that this is a buffer overflow:
>> http://lists.gnu.org/archive/html/qemu-devel/2012-04/msg01657.html
>>
>> You need to fix this.
>
> I have sent a reply to that thread explaining that the user actually
> doesn't have control of that string, that is only used internally in the
> code (just like the QEMU_VERSION macro).
> I fixed the code now with snprintf copying at most 12 chars to the
> string (the array size). I can't think of why pstrcat would be better in
> this case, as suggested by Erik.
s/Erik/Eric/, but you're not the first to make that typo.
pstrcat is more efficient than snprintf() - the former is dedicated to a
single task, while the latter has to parse a format string and decode
that it is doing a single %s expansion. In other words, just because
*printf can do string concatenation doesn't make it the best tool for
the job.
--
Eric Blake address@hidden +1-919-301-3266
Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature