From: Jan Kiszka <jan.kiszka@web.de>
To: Anthony Liguori <anthony@codemonkey.ws>
Cc: qemu-devel <qemu-devel@nongnu.org>
Subject: [Qemu-devel] [PATCH] net: Fix -net socket parameter checks
Date: Sun, 26 Apr 2009 18:53:42 +0200 [thread overview]
Message-ID: <49F49196.30409@web.de> (raw)
[-- Attachment #1: Type: text/plain, Size: 7626 bytes --]
My commit ea053add700d8abe203cd79a9ffb082aee4eabc0 broke -net socket by
overwriting an intermediate buffer in the added check_param. Fix this
by switching check_param to automatic buffer allocation and release, ie.
callers no longer have to worry about providing a scratch buffer.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
net.c | 20 ++++++++++----------
sysemu.h | 3 +--
vl.c | 38 +++++++++++++++++++++++++++-----------
3 files changed, 38 insertions(+), 23 deletions(-)
diff --git a/net.c b/net.c
index db2f8d3..dcd27fe 100644
--- a/net.c
+++ b/net.c
@@ -1791,7 +1791,7 @@ int net_client_init(const char *device, const char *p)
uint8_t *macaddr;
int idx = nic_get_free_idx();
- if (check_params(buf, sizeof(buf), nic_params, p) < 0) {
+ if (check_params(nic_params, p) < 0) {
fprintf(stderr, "qemu: invalid parameter '%s' in '%s'\n",
buf, p);
return -1;
@@ -1842,7 +1842,7 @@ int net_client_init(const char *device, const char *p)
static const char * const slirp_params[] = {
"vlan", "name", "hostname", "restrict", "ip", NULL
};
- if (check_params(buf, sizeof(buf), slirp_params, p) < 0) {
+ if (check_params(slirp_params, p) < 0) {
fprintf(stderr, "qemu: invalid parameter '%s' in '%s'\n",
buf, p);
return -1;
@@ -1893,7 +1893,7 @@ int net_client_init(const char *device, const char *p)
};
char ifname[64];
- if (check_params(buf, sizeof(buf), tap_params, p) < 0) {
+ if (check_params(tap_params, p) < 0) {
fprintf(stderr, "qemu: invalid parameter '%s' in '%s'\n",
buf, p);
return -1;
@@ -1914,7 +1914,7 @@ int net_client_init(const char *device, const char *p)
int fd;
vlan->nb_host_devs++;
if (get_param_value(buf, sizeof(buf), "fd", p) > 0) {
- if (check_params(buf, sizeof(buf), fd_params, p) < 0) {
+ if (check_params(fd_params, p) < 0) {
fprintf(stderr, "qemu: invalid parameter '%s' in '%s'\n",
buf, p);
return -1;
@@ -1927,7 +1927,7 @@ int net_client_init(const char *device, const char *p)
static const char * const tap_params[] = {
"vlan", "name", "ifname", "script", "downscript", NULL
};
- if (check_params(buf, sizeof(buf), tap_params, p) < 0) {
+ if (check_params(tap_params, p) < 0) {
fprintf(stderr, "qemu: invalid parameter '%s' in '%s'\n",
buf, p);
return -1;
@@ -1948,7 +1948,7 @@ int net_client_init(const char *device, const char *p)
if (!strcmp(device, "socket")) {
if (get_param_value(buf, sizeof(buf), "fd", p) > 0) {
int fd;
- if (check_params(buf, sizeof(buf), fd_params, p) < 0) {
+ if (check_params(fd_params, p) < 0) {
fprintf(stderr, "qemu: invalid parameter '%s' in '%s'\n",
buf, p);
return -1;
@@ -1961,7 +1961,7 @@ int net_client_init(const char *device, const char *p)
static const char * const listen_params[] = {
"vlan", "name", "listen", NULL
};
- if (check_params(buf, sizeof(buf), listen_params, p) < 0) {
+ if (check_params(listen_params, p) < 0) {
fprintf(stderr, "qemu: invalid parameter '%s' in '%s'\n",
buf, p);
return -1;
@@ -1971,7 +1971,7 @@ int net_client_init(const char *device, const char *p)
static const char * const connect_params[] = {
"vlan", "name", "connect", NULL
};
- if (check_params(buf, sizeof(buf), connect_params, p) < 0) {
+ if (check_params(connect_params, p) < 0) {
fprintf(stderr, "qemu: invalid parameter '%s' in '%s'\n",
buf, p);
return -1;
@@ -1981,7 +1981,7 @@ int net_client_init(const char *device, const char *p)
static const char * const mcast_params[] = {
"vlan", "name", "mcast", NULL
};
- if (check_params(buf, sizeof(buf), mcast_params, p) < 0) {
+ if (check_params(mcast_params, p) < 0) {
fprintf(stderr, "qemu: invalid parameter '%s' in '%s'\n",
buf, p);
return -1;
@@ -2002,7 +2002,7 @@ int net_client_init(const char *device, const char *p)
char vde_sock[1024], vde_group[512];
int vde_port, vde_mode;
- if (check_params(buf, sizeof(buf), vde_params, p) < 0) {
+ if (check_params(vde_params, p) < 0) {
fprintf(stderr, "qemu: invalid parameter '%s' in '%s'\n",
buf, p);
return -1;
diff --git a/sysemu.h b/sysemu.h
index 50438a6..9bb9fbc 100644
--- a/sysemu.h
+++ b/sysemu.h
@@ -257,7 +257,6 @@ const char *get_opt_name(char *buf, int buf_size, const char *p, char delim);
const char *get_opt_value(char *buf, int buf_size, const char *p);
int get_param_value(char *buf, int buf_size,
const char *tag, const char *str);
-int check_params(char *buf, int buf_size,
- const char * const *params, const char *str);
+int check_params(const char * const *params, const char *str);
#endif
diff --git a/vl.c b/vl.c
index a210b6c..1fe39e5 100644
--- a/vl.c
+++ b/vl.c
@@ -1866,29 +1866,45 @@ int get_param_value(char *buf, int buf_size,
return 0;
}
-int check_params(char *buf, int buf_size,
- const char * const *params, const char *str)
+int check_params(const char * const *params, const char *str)
{
+ int name_buf_size = 1;
const char *p;
- int i;
+ char *name_buf;
+ int i, len;
+ int ret = 0;
+
+ for (i = 0; params[i] != NULL; i++) {
+ len = strlen(params[i]) + 1;
+ if (len > name_buf_size) {
+ name_buf_size = len;
+ }
+ }
+ name_buf = qemu_malloc(name_buf_size);
p = str;
while (*p != '\0') {
- p = get_opt_name(buf, buf_size, p, '=');
- if (*p != '=')
- return -1;
+ p = get_opt_name(name_buf, name_buf_size, p, '=');
+ if (*p != '=') {
+ ret = -1;
+ break;
+ }
p++;
for(i = 0; params[i] != NULL; i++)
- if (!strcmp(params[i], buf))
+ if (!strcmp(params[i], name_buf))
break;
- if (params[i] == NULL)
- return -1;
+ if (params[i] == NULL) {
+ ret = -1;
+ break;
+ }
p = get_opt_value(NULL, 0, p);
if (*p != ',')
break;
p++;
}
- return 0;
+
+ qemu_free(name_buf);
+ return ret;
}
/***********************************************************/
@@ -2241,7 +2257,7 @@ int drive_init(struct drive_opt *arg, int snapshot, void *opaque)
"cache", "format", "serial", "werror",
NULL };
- if (check_params(buf, sizeof(buf), params, str) < 0) {
+ if (check_params(params, str) < 0) {
fprintf(stderr, "qemu: unknown parameter '%s' in '%s'\n",
buf, str);
return -1;
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 257 bytes --]
reply other threads:[~2009-04-26 16:53 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49F49196.30409@web.de \
--to=jan.kiszka@web.de \
--cc=anthony@codemonkey.ws \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.