[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 2/2] pci-assign: Fix potential read beyond buffe
From: |
Peter Maydell |
Subject: |
Re: [Qemu-devel] [PATCH 2/2] pci-assign: Fix potential read beyond buffer on -EBUSY |
Date: |
Fri, 21 Feb 2014 16:51:37 +0000 |
On 21 February 2014 16:42, Markus Armbruster <address@hidden> wrote:
> readlink() doesn't write a terminating null byte.
> assign_failed_examine() passes the unterminated string to strrchr().
> Oops. Terminate it.
>
> Spotted by Coverity.
>
> Signed-off-by: Markus Armbruster <address@hidden>
> ---
> hw/i386/kvm/pci-assign.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/hw/i386/kvm/pci-assign.c b/hw/i386/kvm/pci-assign.c
> index 9686801..a825871 100644
> --- a/hw/i386/kvm/pci-assign.c
> +++ b/hw/i386/kvm/pci-assign.c
> @@ -743,6 +743,7 @@ static void assign_failed_examine(AssignedDevice *dev)
> goto fail;
> }
>
> + driver[r] = 0;
This will write off the end of the buffer if readlink()
filled it completely, won't it? I think you also need
to change the readlink() 3rd argument to "sizeof(driver) - 1".
thanks
-- PMM