From: Fam Zheng <famz@redhat.com>
To: Stefan Hajnoczi <stefanha@redhat.com>
Cc: qemu-devel@nongnu.org, Kevin Wolf <kwolf@redhat.com>,
qemu-block@nongnu.org
Subject: Re: [Qemu-devel] [PATCH] file-posix: clean up max_segments buffer termination
Date: Tue, 14 Mar 2017 17:42:45 +0800 [thread overview]
Message-ID: <20170314094245.GA8399@lemon.lan> (raw)
In-Reply-To: <20170314090922.28083-1-stefanha@redhat.com>
On Tue, 03/14 17:09, Stefan Hajnoczi wrote:
> The following pattern is unsafe:
>
> char buf[32];
> ret = read(fd, buf, sizeof(buf));
> ...
> buf[ret] = 0;
>
> If read(2) returns 32 then a byte beyond the end of the buffer is
> zeroed.
>
> In practice this buffer overflow does not occur because the sysfs
> max_segments file only contains an unsigned short + '\n'. The string is
> always shorter than 32 bytes.
>
> Regardless, avoid this pattern because static analysis tools might
> complain and it could lead to real buffer overflows if copy-pasted
> elsewhere in the codebase.
Yes that's a good point, thanks!
Fam
>
> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
> ---
> block/file-posix.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/block/file-posix.c b/block/file-posix.c
> index c4c0663..ac6bd9f 100644
> --- a/block/file-posix.c
> +++ b/block/file-posix.c
> @@ -686,7 +686,7 @@ static int hdev_get_max_segments(const struct stat *st)
> goto out;
> }
> do {
> - ret = read(fd, buf, sizeof(buf));
> + ret = read(fd, buf, sizeof(buf) - 1);
> } while (ret == -1 && errno == EINTR);
> if (ret < 0) {
> ret = -errno;
> --
> 2.9.3
>
prev parent reply other threads:[~2017-03-14 9:42 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-14 9:09 [Qemu-devel] [PATCH] file-posix: clean up max_segments buffer termination Stefan Hajnoczi
2017-03-14 9:25 ` Kevin Wolf
2017-03-14 9:42 ` Fam Zheng [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170314094245.GA8399@lemon.lan \
--to=famz@redhat.com \
--cc=kwolf@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.