From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:56537) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XgvVp-0003Oe-KW for qemu-devel@nongnu.org; Wed, 22 Oct 2014 08:59:44 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XgvVg-00075G-Pe for qemu-devel@nongnu.org; Wed, 22 Oct 2014 08:59:37 -0400 Received: from e33.co.us.ibm.com ([32.97.110.151]:35818) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XgvVg-000751-8G for qemu-devel@nongnu.org; Wed, 22 Oct 2014 08:59:28 -0400 Received: from /spool/local by e33.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 22 Oct 2014 06:59:27 -0600 From: Michael Roth Date: Wed, 22 Oct 2014 07:59:10 -0500 Message-Id: <1413982750-21159-2-git-send-email-mdroth@linux.vnet.ibm.com> In-Reply-To: <1413982750-21159-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1413982750-21159-1-git-send-email-mdroth@linux.vnet.ibm.com> Subject: [Qemu-devel] [PATCH] qga: Rewrite code where using readdir_r List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: peter.maydell@linaro.org, zhang.zhanghailiang@huawei.com, qemu-stable@nongnu.org From: zhanghailiang If readdir_r fails, error_setg_errno will reference the freed pointer *dirpath*. Moreover, readdir_r may cause a buffer overflow, using readdir instead. Signed-off-by: zhanghailiang Reviewed-by: Eric Blake Reviewed-by: Paolo Bonzini Cc: qemu-stable@nongnu.org Signed-off-by: Michael Roth --- qga/commands-posix.c | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/qga/commands-posix.c b/qga/commands-posix.c index 7eed7f4..f6f3e3c 100644 --- a/qga/commands-posix.c +++ b/qga/commands-posix.c @@ -956,7 +956,7 @@ static void build_guest_fsinfo_for_virtual_device(char const *syspath, { DIR *dir; char *dirpath; - struct dirent entry, *result; + struct dirent *entry; dirpath = g_strdup_printf("%s/slaves", syspath); dir = opendir(dirpath); @@ -965,22 +965,24 @@ static void build_guest_fsinfo_for_virtual_device(char const *syspath, g_free(dirpath); return; } - g_free(dirpath); for (;;) { - if (readdir_r(dir, &entry, &result) != 0) { - error_setg_errno(errp, errno, "readdir_r(\"%s\")", dirpath); - break; - } - if (!result) { + errno = 0; + entry = readdir(dir); + if (entry == NULL) { + if (errno) { + error_setg_errno(errp, errno, "readdir(\"%s\")", dirpath); + } break; } - if (entry.d_type == DT_LNK) { - g_debug(" slave device '%s'", entry.d_name); - dirpath = g_strdup_printf("%s/slaves/%s", syspath, entry.d_name); - build_guest_fsinfo_for_device(dirpath, fs, errp); - g_free(dirpath); + if (entry->d_type == DT_LNK) { + char *path; + + g_debug(" slave device '%s'", entry->d_name); + path = g_strdup_printf("%s/slaves/%s", syspath, entry->d_name); + build_guest_fsinfo_for_device(path, fs, errp); + g_free(path); if (*errp) { break; @@ -988,6 +990,7 @@ static void build_guest_fsinfo_for_virtual_device(char const *syspath, } } + g_free(dirpath); closedir(dir); } -- 1.9.1