From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:57051)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <famz@redhat.com>) id 1Umx2c-00048R-E2
	for qemu-devel@nongnu.org; Wed, 12 Jun 2013 22:13:37 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <famz@redhat.com>) id 1Umx2Z-0001Gh-ON
	for qemu-devel@nongnu.org; Wed, 12 Jun 2013 22:13:34 -0400
Received: from mx1.redhat.com ([209.132.183.28]:40148)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <famz@redhat.com>) id 1Umx2Z-0001Ga-H7
	for qemu-devel@nongnu.org; Wed, 12 Jun 2013 22:13:31 -0400
Date: Thu, 13 Jun 2013 10:13:28 +0800
From: Fam Zheng <famz@redhat.com>
Message-ID: <20130613021328.GD4350@localhost.nay.redhat.com>
References: <1370745294-19933-1-git-send-email-famz@redhat.com>
	<20130610092149.GB5745@stefanha-thinkpad.redhat.com>
	<CABgc4wTj_KkQ+tnWbhY7GpJUh2O5L-=jeTtJYLjdxX8ZVefPog@mail.gmail.com>
	<20130611074019.GA18312@stefanha-thinkpad.redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20130611074019.GA18312@stefanha-thinkpad.redhat.com>
Subject: Re: [Qemu-devel] [PATCH] curl: refuse to open URL from HTTP server
 without range support
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Stefan Hajnoczi <stefanha@gmail.com>
Cc: Kevin Wolf <kwolf@redhat.com>, Fam Zheng <famcool@gmail.com>, "qemu-devel@nongnu.org" <qemu-devel@nongnu.org>, Stefan Hajnoczi <stefanha@redhat.com>, rjones@redhat.com

On Tue, 06/11 09:40, Stefan Hajnoczi wrote:
> On Tue, Jun 11, 2013 at 11:15:15AM +0800, Fam Zheng wrote:
> > On Mon, Jun 10, 2013 at 5:21 PM, Stefan Hajnoczi <stefanha@gmail.com> wrote:
> > > On Sun, Jun 09, 2013 at 10:34:54AM +0800, Fam Zheng wrote:
> > >> @@ -110,14 +111,14 @@ static int curl_sock_cb(CURL *curl, curl_socket_t fd, int action,
> > >>      return 0;
> > >>  }
> > >>
> > >> -static size_t curl_size_cb(void *ptr, size_t size, size_t nmemb, void *opaque)
> > >> +static size_t curl_header_cb(void *ptr, size_t size, size_t nmemb, void *opaque)
> > >>  {
> > >> -    CURLState *s = ((CURLState*)opaque);
> > >> +    BDRVCURLState *s = opaque;
> > >>      size_t realsize = size * nmemb;
> > >> -    size_t fsize;
> > >> +    const char *accept_line = "Accept-Ranges: bytes";
> > >>
> > >> -    if(sscanf(ptr, "Content-Length: %zd", &fsize) == 1) {
> > >> -        s->s->len = fsize;
> > >> +    if (strncmp((char *)ptr, accept_line, strlen(accept_line)) == 0) {
> > >> +        s->accept_range = true;
> > >>      }
> > >
> > > This still assumes ptr is NUL-terminated.  You need to pass size * nmemb
> > > instead of strlen(accept_line).
> > >
> > OK, the case is so corner, only when :
> > - realsize < strlen(accept_line) and
> > - ptr is the first part of  accept_line, without NUL-termination
> > strncpm will possibly access no more than (strlen(accept_line) -
> > realsize) bytes after ptr buffer.
> > 
> > I'll need to check if realsize >= strlen(accept_line), not passing realsize.
> 
> You can just pass size * nmemb because strncmp() does check for NUL in
> both strings.  Therefore strlen(accept_line) is not needed - you know
> accept_line is NUL-terminated.
> 

No, e.g. size * nmemb is 5, and *ptr is "Conte", passing size * nmemb to
strncmp gets zero. We need to:
    * Ensure size * nmemb is no less than needed
    * Only compare needed, not whole (first strlen(accept_line) bytes).

-- 
Fam