[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 43/81] ui/vnc: Fix problem with sending too many byt
From: |
Michael Roth |
Subject: |
[Qemu-devel] [PATCH 43/81] ui/vnc: Fix problem with sending too many bytes as server name |
Date: |
Mon, 20 Mar 2017 18:08:07 -0500 |
From: Thomas Huth <address@hidden>
If the buffer is not big enough, snprintf() does not return the number
of bytes that have been written to the buffer, but the number of bytes
that would be needed for writing the whole string. By using this value
for the following vnc_write() calls, we send some junk at the end of
the name in case the qemu_name is longer than 1017 bytes, which could
confuse the VNC clients. Fix this by adding an additional size check
here.
Buglink: https://bugs.launchpad.net/qemu/+bug/1637447
Signed-off-by: Thomas Huth <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit 97efe4f961dcf5a0126baa75e8a6bff66d33186f)
Signed-off-by: Michael Roth <address@hidden>
---
ui/vnc.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/ui/vnc.c b/ui/vnc.c
index 2c28a59..29aa9c4 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -2459,10 +2459,14 @@ static int protocol_client_init(VncState *vs, uint8_t
*data, size_t len)
pixel_format_message(vs);
- if (qemu_name)
+ if (qemu_name) {
size = snprintf(buf, sizeof(buf), "QEMU (%s)", qemu_name);
- else
+ if (size > sizeof(buf)) {
+ size = sizeof(buf);
+ }
+ } else {
size = snprintf(buf, sizeof(buf), "QEMU");
+ }
vnc_write_u32(vs, size);
vnc_write(vs, buf, size);
--
2.7.4
- [Qemu-devel] [PATCH 32/81] 9pfs: don't use AT_EMPTY_PATH in local_set_cred_passthrough(), (continued)
- [Qemu-devel] [PATCH 32/81] 9pfs: don't use AT_EMPTY_PATH in local_set_cred_passthrough(), Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 37/81] pci: fix error message for express slots, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 03/81] 9pfs: remove side-effects in local_open() and local_opendir(), Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 39/81] 9pfs: fix crash when fsdev is missing, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 42/81] scsi-block: fix direction of BYTCHK test for VERIFY commands, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 30/81] 9pfs: fix fd leak in local_opendir(), Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 33/81] 9pfs: fix O_PATH build break with older glibc versions, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 36/81] balloon: Don't balloon roms, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 46/81] exec: Add missing rcu_read_unlock, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 38/81] virtio: fix vq->inuse recalc after migr, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 43/81] ui/vnc: Fix problem with sending too many bytes as server name,
Michael Roth <=
- [Qemu-devel] [PATCH 50/81] tcg/aarch64: Fix addsub2 for 0+C, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 40/81] pc: fix crash in rtc_set_memory() if initial cpu is marked as hotplugged, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 45/81] virtio-crypto: fix possible integer and heap overflow, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 48/81] x86: ioapic: fix fail migration when irqchip=split, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 53/81] virtio: fix up max size checks, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 35/81] machine: Convert abstract typename on compat_props to subclass names, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 34/81] 9pfs: fix vulnerability in openat_dir() and local_unlinkat_common(), Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 47/81] display: cirrus: ignore source pitch value as needed in blit_is_unsafe, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 04/81] 9pfs: introduce relative_openat_nofollow() helper, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 60/81] s390x/kvm: fix small race reboot vs. cmma, Michael Roth, 2017/03/20