From: Fam Zheng <famz@redhat.com>
To: Stefan Hajnoczi <stefanha@gmail.com>
Cc: Kevin Wolf <kwolf@redhat.com>, Fam Zheng <famcool@gmail.com>,
"qemu-devel@nongnu.org" <qemu-devel@nongnu.org>,
Stefan Hajnoczi <stefanha@redhat.com>,
rjones@redhat.com
Subject: Re: [Qemu-devel] [PATCH] curl: refuse to open URL from HTTP server without range support
Date: Thu, 13 Jun 2013 10:13:28 +0800 [thread overview]
Message-ID: <20130613021328.GD4350@localhost.nay.redhat.com> (raw)
In-Reply-To: <20130611074019.GA18312@stefanha-thinkpad.redhat.com>
On Tue, 06/11 09:40, Stefan Hajnoczi wrote:
> On Tue, Jun 11, 2013 at 11:15:15AM +0800, Fam Zheng wrote:
> > On Mon, Jun 10, 2013 at 5:21 PM, Stefan Hajnoczi <stefanha@gmail.com> wrote:
> > > On Sun, Jun 09, 2013 at 10:34:54AM +0800, Fam Zheng wrote:
> > >> @@ -110,14 +111,14 @@ static int curl_sock_cb(CURL *curl, curl_socket_t fd, int action,
> > >> return 0;
> > >> }
> > >>
> > >> -static size_t curl_size_cb(void *ptr, size_t size, size_t nmemb, void *opaque)
> > >> +static size_t curl_header_cb(void *ptr, size_t size, size_t nmemb, void *opaque)
> > >> {
> > >> - CURLState *s = ((CURLState*)opaque);
> > >> + BDRVCURLState *s = opaque;
> > >> size_t realsize = size * nmemb;
> > >> - size_t fsize;
> > >> + const char *accept_line = "Accept-Ranges: bytes";
> > >>
> > >> - if(sscanf(ptr, "Content-Length: %zd", &fsize) == 1) {
> > >> - s->s->len = fsize;
> > >> + if (strncmp((char *)ptr, accept_line, strlen(accept_line)) == 0) {
> > >> + s->accept_range = true;
> > >> }
> > >
> > > This still assumes ptr is NUL-terminated. You need to pass size * nmemb
> > > instead of strlen(accept_line).
> > >
> > OK, the case is so corner, only when :
> > - realsize < strlen(accept_line) and
> > - ptr is the first part of accept_line, without NUL-termination
> > strncpm will possibly access no more than (strlen(accept_line) -
> > realsize) bytes after ptr buffer.
> >
> > I'll need to check if realsize >= strlen(accept_line), not passing realsize.
>
> You can just pass size * nmemb because strncmp() does check for NUL in
> both strings. Therefore strlen(accept_line) is not needed - you know
> accept_line is NUL-terminated.
>
No, e.g. size * nmemb is 5, and *ptr is "Conte", passing size * nmemb to
strncmp gets zero. We need to:
* Ensure size * nmemb is no less than needed
* Only compare needed, not whole (first strlen(accept_line) bytes).
--
Fam
next prev parent reply other threads:[~2013-06-13 2:13 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-09 2:34 [Qemu-devel] [PATCH] curl: refuse to open URL from HTTP server without range support Fam Zheng
2013-06-10 9:21 ` Stefan Hajnoczi
2013-06-11 3:15 ` Fam Zheng
2013-06-11 7:40 ` Stefan Hajnoczi
2013-06-11 8:22 ` Kevin Wolf
2013-06-13 2:13 ` Fam Zheng [this message]
2013-06-13 8:21 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130613021328.GD4350@localhost.nay.redhat.com \
--to=famz@redhat.com \
--cc=famcool@gmail.com \
--cc=kwolf@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=rjones@redhat.com \
--cc=stefanha@gmail.com \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.