Re: [Qemu-devel] [PATCH] hw/9pfs/virtio-9p-local.c: use snprintf() instead of sprintf()

[Chen Gang]

On 02/03/2014 06:34 PM, Daniel P. Berrange wrote:
> On Mon, Feb 03, 2014 at 06:00:42PM +0800, Chen Gang wrote:
>> We can not assume "'path' + 'ctx->fs_root'" must be less than MAX_PATH,
>> so need use snprintf() instead of sprintf().
>>
>> And also recommend to use ARRAY_SIZE instead of hard code macro for an
>> array size in snprintf().
> 
> In the event that there is overflow this will cause the data to be
> truncated, potentially causing QEMU to access the wrong file on the
> host. Both snprintf and sprintf are really bad because of their
> use of fixed buffers. Better to change it to g_strdup_printf which
> dynamically allocates buffers.
> 

That sounds reasonable to me, I will send patch v2 for it.


Thanks.
-- 
Chen Gang

Open, share and attitude like air, water and life which God blessed