From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:38696)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <pm215@archaic.org.uk>) id 1bMwjs-00084c-0H
	for qemu-devel@nongnu.org; Tue, 12 Jul 2016 08:24:36 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <pm215@archaic.org.uk>) id 1bMwjl-00080s-58
	for qemu-devel@nongnu.org; Tue, 12 Jul 2016 08:24:34 -0400
Received: from orth.archaic.org.uk ([2001:8b0:1d0::2]:58269)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <pm215@archaic.org.uk>) id 1bMwjk-00080n-UD
	for qemu-devel@nongnu.org; Tue, 12 Jul 2016 08:24:29 -0400
From: Peter Maydell <peter.maydell@linaro.org>
Date: Tue, 12 Jul 2016 13:02:19 +0100
Message-Id: <1468324939-12221-9-git-send-email-peter.maydell@linaro.org>
In-Reply-To: <1468324939-12221-1-git-send-email-peter.maydell@linaro.org>
References: <1468324939-12221-1-git-send-email-peter.maydell@linaro.org>
Subject: [Qemu-devel] [PATCH 8/8] linux-user: Fix memchr() argument in
 open_self_cmdline()
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: patches@linaro.org, Riku Voipio <riku.voipio@iki.fi>, Paolo Bonzini <pbonzini@redhat.com>

In open_self_cmdline() we look for a 0 in the buffer we read
from /prc/self/cmdline. We were incorrectly passing the length
of our buf[] array to memchr() as the length to search, rather
than the number of bytes we actually read into it, which could
be shorter. This was spotted by Coverity (because it could
result in our trying to pass a negative length argument to
write()).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/syscall.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index f849a5d..9dbd711 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -6530,7 +6530,7 @@ static int open_self_cmdline(void *cpu_env, int fd)
         if (!word_skipped) {
             /* Skip the first string, which is the path to qemu-*-static
                instead of the actual command. */
-            cp_buf = memchr(buf, 0, sizeof(buf));
+            cp_buf = memchr(buf, 0, nb_read);
             if (cp_buf) {
                 /* Null byte found, skip one string */
                 cp_buf++;
-- 
1.9.1