From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: qemu-devel@nongnu.org, patches@linaro.org,
Samuel Thibault <samuel.thibault@ens-lyon.org>,
Jan Kiszka <jan.kiszka@siemens.com>
Subject: Re: [Qemu-devel] [PATCH] slirp: fork_exec(): Don't close() a negative number in fork_exec()
Date: Tue, 11 Jul 2017 17:29:43 +0100 [thread overview]
Message-ID: <20170711162943.GF2223@work-vm> (raw)
In-Reply-To: <20170709175422.30185-1-peter.maydell@linaro.org>
* Peter Maydell (peter.maydell@linaro.org) wrote:
> In a fork_exec() error path we try to closesocket(s) when s might
> be a negative number because the thing that failed was the
> qemu_socket() call. Add a guard so we don't do this.
>
> (Spotted by Coverity: CID 1005727 issue 1 of 2.)
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
> Issue 2 of 2 in CID 1005727 is trickier -- we need to move as
> much as possible of the client-end connect/accept out of the
> child process and into the parent as possible. I'm not sure
> if it's safe to do it all in the parent without deadlocking...
or just bail earlier? The bit that worries me there
is the dup2(s, [012]); which is called unchecked, if that fails
then your telnetd or whatever probably ends up connected to whatever
your 0..2 were originally.
> slirp/misc.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/slirp/misc.c b/slirp/misc.c
> index 88e9d94197..260187b6b6 100644
> --- a/slirp/misc.c
> +++ b/slirp/misc.c
> @@ -112,7 +112,9 @@ fork_exec(struct socket *so, const char *ex, int do_pty)
> bind(s, (struct sockaddr *)&addr, addrlen) < 0 ||
> listen(s, 1) < 0) {
> error_report("Error: inet socket: %s", strerror(errno));
> - closesocket(s);
> + if (s >= 0) {
> + closesocket(s);
> + }
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
(I'm not convinced this would ever do anything bad, at least on a *nix
system, the -ve value is always going to be an invalid fd so the close
will just fail).
Dave
> return 0;
> }
> --
> 2.11.0
>
>
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
next prev parent reply other threads:[~2017-07-11 16:29 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-09 17:54 [Qemu-devel] [PATCH] slirp: fork_exec(): Don't close() a negative number in fork_exec() Peter Maydell
2017-07-11 16:29 ` Dr. David Alan Gilbert [this message]
2017-07-11 17:18 ` Peter Maydell
2017-07-11 19:08 ` Dr. David Alan Gilbert
2017-07-11 20:40 ` Peter Maydell
2017-07-11 21:17 ` Eric Blake
2017-07-11 23:12 ` Samuel Thibault
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170711162943.GF2223@work-vm \
--to=dgilbert@redhat.com \
--cc=jan.kiszka@siemens.com \
--cc=patches@linaro.org \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=samuel.thibault@ens-lyon.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.