From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:38112) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YXRzO-0002Y0-89 for qemu-devel@nongnu.org; Mon, 16 Mar 2015 06:11:15 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YXRzK-0005YB-2M for qemu-devel@nongnu.org; Mon, 16 Mar 2015 06:11:14 -0400 Received: from e28smtp01.in.ibm.com ([122.248.162.1]:46806) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YXRzJ-0005Xk-Dg for qemu-devel@nongnu.org; Mon, 16 Mar 2015 06:11:09 -0400 Received: from /spool/local by e28smtp01.in.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 16 Mar 2015 15:41:06 +0530 Received: from d28relay03.in.ibm.com (d28relay03.in.ibm.com [9.184.220.60]) by d28dlp03.in.ibm.com (Postfix) with ESMTP id 9829B125804F for ; Mon, 16 Mar 2015 15:42:35 +0530 (IST) Received: from d28av01.in.ibm.com (d28av01.in.ibm.com [9.184.220.63]) by d28relay03.in.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id t2GAB4PW29556798 for ; Mon, 16 Mar 2015 15:41:04 +0530 Received: from d28av01.in.ibm.com (localhost [127.0.0.1]) by d28av01.in.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id t2GAB30a024607 for ; Mon, 16 Mar 2015 15:41:04 +0530 From: "Aneesh Kumar K.V" Date: Mon, 16 Mar 2015 15:39:42 +0530 Message-Id: <1426500583-15712-6-git-send-email-aneesh.kumar@linux.vnet.ibm.com> In-Reply-To: <1426500583-15712-1-git-send-email-aneesh.kumar@linux.vnet.ibm.com> References: <1426500583-15712-1-git-send-email-aneesh.kumar@linux.vnet.ibm.com> Subject: [Qemu-devel] [PATCH 5/6] virtfs-proxy: Fix possible overflow List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: anthony@codemonkey.ws, peter.maydell@linaro.org Cc: "Aneesh Kumar K.V" , Shannon Zhao , qemu-devel@nongnu.org, Shannon Zhao From: Shannon Zhao It's detected by coverity. The socket name specified should fit in the sockadd_un.sun_path. If not abort. Signed-off-by: Shannon Zhao Signed-off-by: Shannon Zhao Signed-off-by: Aneesh Kumar K.V --- fsdev/virtfs-proxy-helper.c | 1 + hw/9pfs/virtio-9p-proxy.c | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c index bf2e5f333121..13fe032543bc 100644 --- a/fsdev/virtfs-proxy-helper.c +++ b/fsdev/virtfs-proxy-helper.c @@ -738,6 +738,7 @@ static int proxy_socket(const char *path, uid_t uid, gid_t gid) return -1; } + g_assert(strlen(path) < sizeof(proxy.sun_path)); sock = socket(AF_UNIX, SOCK_STREAM, 0); if (sock < 0) { do_perror("socket"); diff --git a/hw/9pfs/virtio-9p-proxy.c b/hw/9pfs/virtio-9p-proxy.c index 6bb191ee6ab8..71b6198bbd22 100644 --- a/hw/9pfs/virtio-9p-proxy.c +++ b/hw/9pfs/virtio-9p-proxy.c @@ -1100,6 +1100,10 @@ static int connect_namedsocket(const char *path) int sockfd, size; struct sockaddr_un helper; + if (strlen(path) >= sizeof(helper.sun_path)) { + fprintf(stderr, "Socket name too large\n"); + return -1; + } sockfd = socket(AF_UNIX, SOCK_STREAM, 0); if (sockfd < 0) { fprintf(stderr, "failed to create socket: %s\n", strerror(errno)); -- 2.1.0