From: Markus Armbruster <armbru@redhat.com>
To: Stefano Garzarella <sgarzare@redhat.com>
Cc: Peter Maydell <peter.maydell@linaro.org>,
Jason Wang <jasowang@redhat.com>,
qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH] net: avoid to use variable length array in net_client_init()
Date: Mon, 06 May 2019 15:23:08 +0200 [thread overview]
Message-ID: <878svjra2r.fsf@dusky.pond.sub.org> (raw)
In-Reply-To: <20190503170631.228487-1-sgarzare@redhat.com> (Stefano Garzarella's message of "Fri, 3 May 2019 19:06:31 +0200")
Stefano Garzarella <sgarzare@redhat.com> writes:
> net_client_init() uses a variable length array to store the prefix
> of 'ipv6-net' parameter (e.g. if ipv6-net=fec0::0/64, the prefix
> is 'fec0::0').
> Since the IPv6 prefix can be at most as long as an IPv6 address,
> we can use an array with fixed size equals to INET6_ADDRSTRLEN.
>
> Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
> ---
> net/net.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/net.c b/net/net.c
> index f3a3c5444c..2e5f27e121 100644
> --- a/net/net.c
> +++ b/net/net.c
> @@ -1118,7 +1118,7 @@ static int net_client_init(QemuOpts *opts, bool is_netdev, Error **errp)
> const char *ip6_net = qemu_opt_get(opts, "ipv6-net");
>
> if (ip6_net) {
> - char buf[strlen(ip6_net) + 1];
> + char buf[INET6_ADDRSTRLEN];
>
> if (get_str_sep(buf, sizeof(buf), &ip6_net, '/') < 0) {
> /* Default 64bit prefix length. */
Hmm.
Parameter "ipv6-net" is of the form ADDRESS[/PREFIX-SIZE]. If
/PREFIX-SIZE is present, get_str_sep() copies the ADDRESS part to buf[].
However, nothing stops the user from passing in an ADDRESS longer than
INET6_ADDRSTRLEN, say by adding a enough leading zeros. get_str_sep()
will then silently truncate ADDRESS.
Suggest to avoid get_str_sep() like this (not even compile-tested):
if (ip6_net) {
char *slashp = strchr(ip6_net, '/');
if (!slashp) {
/* Default 64bit prefix length. */
qemu_opt_set(opts, "ipv6-prefix", ip6_net, &error_abort);
qemu_opt_set_number(opts, "ipv6-prefixlen", 64, &error_abort);
} else {
/* User-specified prefix length. */
unsigned long len;
int err;
char *addr = g_strndup(ip6_net, slashp - ip6_net);
qemu_opt_set(opts, "ipv6-prefix", addr, &error_abort);
g_free(addr);
err = qemu_strtoul(slashp + 1, NULL, 10, &len);
if (err) {
error_setg(errp, QERR_INVALID_PARAMETER_VALUE,
"ipv6-prefix", "a number");
} else {
qemu_opt_set_number(opts, "ipv6-prefixlen", len,
&error_abort);
}
}
qemu_opt_unset(opts, "ipv6-net");
}
}
I'd be tempted to clean up further; de-duplicate the qemu_opt_set() and
qemu_opt_set_number().
There's just one more use of get_str_sep(), in parse_host_port(), and it
looks just as prone to silent truncation.
next prev parent reply other threads:[~2019-05-06 13:25 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-03 17:06 [Qemu-devel] [PATCH] net: avoid to use variable length array in net_client_init() Stefano Garzarella
2019-05-03 17:06 ` Stefano Garzarella
2019-05-06 13:23 ` Markus Armbruster [this message]
2019-05-06 17:42 ` Stefano Garzarella
2019-05-06 17:54 ` Eric Blake
2019-05-07 7:53 ` Stefano Garzarella
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=878svjra2r.fsf@dusky.pond.sub.org \
--to=armbru@redhat.com \
--cc=jasowang@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=sgarzare@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.