From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:56282)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanha@gmail.com>) id 1UmJBr-0004qw-KX
	for qemu-devel@nongnu.org; Tue, 11 Jun 2013 03:40:28 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <stefanha@gmail.com>) id 1UmJBm-0004J8-UX
	for qemu-devel@nongnu.org; Tue, 11 Jun 2013 03:40:27 -0400
Received: from mail-ee0-x229.google.com ([2a00:1450:4013:c00::229]:45273)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanha@gmail.com>) id 1UmJBm-0004J3-Oi
	for qemu-devel@nongnu.org; Tue, 11 Jun 2013 03:40:22 -0400
Received: by mail-ee0-f41.google.com with SMTP id d17so2143676eek.28
	for <qemu-devel@nongnu.org>; Tue, 11 Jun 2013 00:40:22 -0700 (PDT)
Date: Tue, 11 Jun 2013 09:40:19 +0200
From: Stefan Hajnoczi <stefanha@gmail.com>
Message-ID: <20130611074019.GA18312@stefanha-thinkpad.redhat.com>
References: <1370745294-19933-1-git-send-email-famz@redhat.com>
	<20130610092149.GB5745@stefanha-thinkpad.redhat.com>
	<CABgc4wTj_KkQ+tnWbhY7GpJUh2O5L-=jeTtJYLjdxX8ZVefPog@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CABgc4wTj_KkQ+tnWbhY7GpJUh2O5L-=jeTtJYLjdxX8ZVefPog@mail.gmail.com>
Subject: Re: [Qemu-devel] [PATCH] curl: refuse to open URL from HTTP server
 without range support
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Fam Zheng <famcool@gmail.com>
Cc: Kevin Wolf <kwolf@redhat.com>, Fam Zheng <famz@redhat.com>, "qemu-devel@nongnu.org" <qemu-devel@nongnu.org>, Stefan Hajnoczi <stefanha@redhat.com>, rjones@redhat.com

On Tue, Jun 11, 2013 at 11:15:15AM +0800, Fam Zheng wrote:
> On Mon, Jun 10, 2013 at 5:21 PM, Stefan Hajnoczi <stefanha@gmail.com> wrote:
> > On Sun, Jun 09, 2013 at 10:34:54AM +0800, Fam Zheng wrote:
> >> @@ -110,14 +111,14 @@ static int curl_sock_cb(CURL *curl, curl_socket_t fd, int action,
> >>      return 0;
> >>  }
> >>
> >> -static size_t curl_size_cb(void *ptr, size_t size, size_t nmemb, void *opaque)
> >> +static size_t curl_header_cb(void *ptr, size_t size, size_t nmemb, void *opaque)
> >>  {
> >> -    CURLState *s = ((CURLState*)opaque);
> >> +    BDRVCURLState *s = opaque;
> >>      size_t realsize = size * nmemb;
> >> -    size_t fsize;
> >> +    const char *accept_line = "Accept-Ranges: bytes";
> >>
> >> -    if(sscanf(ptr, "Content-Length: %zd", &fsize) == 1) {
> >> -        s->s->len = fsize;
> >> +    if (strncmp((char *)ptr, accept_line, strlen(accept_line)) == 0) {
> >> +        s->accept_range = true;
> >>      }
> >
> > This still assumes ptr is NUL-terminated.  You need to pass size * nmemb
> > instead of strlen(accept_line).
> >
> OK, the case is so corner, only when :
> - realsize < strlen(accept_line) and
> - ptr is the first part of  accept_line, without NUL-termination
> strncpm will possibly access no more than (strlen(accept_line) -
> realsize) bytes after ptr buffer.
> 
> I'll need to check if realsize >= strlen(accept_line), not passing realsize.

You can just pass size * nmemb because strncmp() does check for NUL in
both strings.  Therefore strlen(accept_line) is not needed - you know
accept_line is NUL-terminated.

Stefan