From: Kevin Wolf <kwolf@redhat.com>
To: qemu-block@nongnu.org
Cc: kwolf@redhat.com, qemu-devel@nongnu.org
Subject: [Qemu-devel] [PULL 1/8] file-posix: clean up max_segments buffer termination
Date: Fri, 17 Mar 2017 14:15:39 +0100 [thread overview]
Message-ID: <1489756546-27142-2-git-send-email-kwolf@redhat.com> (raw)
In-Reply-To: <1489756546-27142-1-git-send-email-kwolf@redhat.com>
From: Stefan Hajnoczi <stefanha@redhat.com>
The following pattern is unsafe:
char buf[32];
ret = read(fd, buf, sizeof(buf));
...
buf[ret] = 0;
If read(2) returns 32 then a byte beyond the end of the buffer is
zeroed.
In practice this buffer overflow does not occur because the sysfs
max_segments file only contains an unsigned short + '\n'. The string is
always shorter than 32 bytes.
Regardless, avoid this pattern because static analysis tools might
complain and it could lead to real buffer overflows if copy-pasted
elsewhere in the codebase.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
block/file-posix.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/block/file-posix.c b/block/file-posix.c
index c4c0663..ac6bd9f 100644
--- a/block/file-posix.c
+++ b/block/file-posix.c
@@ -686,7 +686,7 @@ static int hdev_get_max_segments(const struct stat *st)
goto out;
}
do {
- ret = read(fd, buf, sizeof(buf));
+ ret = read(fd, buf, sizeof(buf) - 1);
} while (ret == -1 && errno == EINTR);
if (ret < 0) {
ret = -errno;
--
1.8.3.1
next prev parent reply other threads:[~2017-03-17 13:15 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-17 13:15 [Qemu-devel] [PULL 0/8] Block layer fixes for 2.9.0-rc1 Kevin Wolf
2017-03-17 13:15 ` Kevin Wolf [this message]
2017-03-17 13:15 ` [Qemu-devel] [PULL 2/8] replication: clarify permissions Kevin Wolf
2017-04-18 1:23 ` Eric Blake
2017-04-18 1:36 ` Hailiang Zhang
2017-04-18 2:52 ` Xie Changlong
2017-03-17 13:15 ` [Qemu-devel] [PULL 3/8] file-posix: Don't leak fd in hdev_get_max_segments Kevin Wolf
2017-03-17 13:15 ` [Qemu-devel] [PULL 4/8] block: Always call bdrv_child_check_perm first Kevin Wolf
2017-03-17 13:15 ` [Qemu-devel] [PULL 5/8] blockdev: fix bitmap clear undo Kevin Wolf
2017-03-17 13:15 ` [Qemu-devel] [PULL 6/8] block: Propagate error in bdrv_open_backing_file Kevin Wolf
2017-03-17 13:15 ` [Qemu-devel] [PULL 7/8] thread-pool: add missing qemu_bh_cancel in completion function Kevin Wolf
2017-03-17 13:15 ` [Qemu-devel] [PULL 8/8] block: quiesce AioContext when detaching from it Kevin Wolf
2017-03-17 14:03 ` [Qemu-devel] [PULL 0/8] Block layer fixes for 2.9.0-rc1 Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1489756546-27142-2-git-send-email-kwolf@redhat.com \
--to=kwolf@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.