From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:34849) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YXVnZ-000563-LL for qemu-devel@nongnu.org; Mon, 16 Mar 2015 10:15:21 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YXVnT-0003Fu-Kc for qemu-devel@nongnu.org; Mon, 16 Mar 2015 10:15:17 -0400 Received: from relay-05.andrew.cmu.edu ([128.2.157.12]:47910 helo=relay.andrew.cmu.edu) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YXVnT-0003F5-Fo for qemu-devel@nongnu.org; Mon, 16 Mar 2015 10:15:11 -0400 From: "Gabriel L. Somlo" Date: Mon, 16 Mar 2015 10:15:03 -0400 Message-Id: <1426515305-17766-5-git-send-email-somlo@cmu.edu> In-Reply-To: <1426515305-17766-1-git-send-email-somlo@cmu.edu> References: <1426515305-17766-1-git-send-email-somlo@cmu.edu> Subject: [Qemu-devel] [PATCH 4/6] fw_cfg: exit with error when dupe fw_cfg file name inserted List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: matt.fleming@intel.com, rjones@redhat.com, jordan.l.justen@intel.com, gleb@cloudius-systems.com, mdroth@linux.vnet.ibm.com, gsomlo@gmail.com, kraxel@redhat.com, pbonzini@redhat.com, lersek@redhat.com Currently, when fw_cfg_add_file_callback() is invoked with a duplicate file name, it gets to insert the data blob at the next available selector, but exit (signalling the error via a call to the trace_fw_cfg_add_file_dupe() function) before incrementing the next available selector as soon as it finds the requested file name to be a dupe. As a consequence, the immediately following invocation of fw_cfg_add_file_callback() will cause the data blob pointer at the current selector to be overwritten, and therefore leak the old data blob inserted during the previous failed call (or, instead, trigger the newly added assertion which guards against leaking data blobs by overwriting their pointers). This patch modifies fw_cfg_add_file_callback() to exit qemu with an error whenever a duplicate fw_cfg file name insertion is requested. Signed-off-by: Gabriel Somlo --- hw/nvram/fw_cfg.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c index 5501a97..86f120e 100644 --- a/hw/nvram/fw_cfg.c +++ b/hw/nvram/fw_cfg.c @@ -481,17 +481,18 @@ void fw_cfg_add_file_callback(FWCfgState *s, const char *filename, index = be32_to_cpu(s->files->count); assert(index < FW_CFG_FILE_SLOTS); + for (i = 0; i < index; i++) { + if (strcmp(filename, s->files->f[i].name) == 0) { + error_report("duplicate fw_cfg file name: %s", filename); + exit(1); + } + } + fw_cfg_add_bytes_read_callback(s, FW_CFG_FILE_FIRST + index, callback, callback_opaque, data, len); pstrcpy(s->files->f[index].name, sizeof(s->files->f[index].name), filename); - for (i = 0; i < index; i++) { - if (strcmp(s->files->f[index].name, s->files->f[i].name) == 0) { - trace_fw_cfg_add_file_dupe(s, s->files->f[index].name); - return; - } - } s->files->f[index].size = cpu_to_be32(len); s->files->f[index].select = cpu_to_be16(FW_CFG_FILE_FIRST + index); -- 2.1.0