From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36387) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XUBsm-0001WO-BC for qemu-devel@nongnu.org; Wed, 17 Sep 2014 05:50:49 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XUBsd-0001fj-AI for qemu-devel@nongnu.org; Wed, 17 Sep 2014 05:50:40 -0400 Received: from mail-wi0-x231.google.com ([2a00:1450:400c:c05::231]:52467) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XUBVt-0003lv-RU for qemu-devel@nongnu.org; Wed, 17 Sep 2014 05:27:01 -0400 Received: by mail-wi0-f177.google.com with SMTP id em10so829171wid.4 for ; Wed, 17 Sep 2014 02:26:58 -0700 (PDT) Date: Wed, 17 Sep 2014 10:26:55 +0100 From: Stefan Hajnoczi Message-ID: <20140917092655.GD10699@stefanha-thinkpad.redhat.com> References: <1410248706-9769-1-git-send-email-mrezanin@redhat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="BRE3mIcgqKzpedwo" Content-Disposition: inline In-Reply-To: <1410248706-9769-1-git-send-email-mrezanin@redhat.com> Subject: Re: [Qemu-devel] [PATCH] Prevent segmentation fault in case of relative resolve of uri List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: mrezanin@redhat.com Cc: qemu-devel@nongnu.org --BRE3mIcgqKzpedwo Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Sep 09, 2014 at 09:45:06AM +0200, mrezanin@redhat.com wrote: > From: Miroslav Rezanina >=20 > It was possible to call strcmp with NULL argument, that can cause > segmentation fault. Properly checking parameters to prevent this > situation. >=20 > Signed-off-by: Miroslav Rezanina > --- > util/uri.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) >=20 > diff --git a/util/uri.c b/util/uri.c > index e348c17..16c01d0 100644 > --- a/util/uri.c > +++ b/util/uri.c > @@ -1985,7 +1985,8 @@ uri_resolve_relative (const char *uri, const char *= base) > val =3D g_strdup (uri); > goto done; > } > - if (!strcmp(bas->path, ref->path)) { > + if (bas->path !=3D NULL && ref->path !=3D NULL &&=20 > + !strcmp(bas->path, ref->path)) { > val =3D g_strdup(""); > goto done; > } This patch adds more conditions, what's needed is to audit and clean up this function. There is dead code and things could be simplified instead: if (!strcmp(bas->path, ref->path)) { val =3D g_strdup(""); goto done; } if (bas->path =3D=3D NULL) { val =3D g_strdup(ref->path); goto done; } if (ref->path =3D=3D NULL) { ref->path =3D (char *) "/"; remove_path =3D 1; } <---- bas->path cannot be NULL because we took goto done <---- ref->path cannot be NULL because we assigned "/" /* * At this point (at last!) we can compare the two paths * * First we take care of the special case where either of the * two path components may be missing (bug 316224) */ if (bas->path =3D=3D NULL) { <--- dead code! if (ref->path !=3D NULL) { uptr =3D ref->path; if (*uptr =3D=3D '/') uptr++; /* exception characters from uri_to_string */ val =3D uri_string_escape(uptr, "/;&=3D+$,"); } goto done; } bptr =3D bas->path; if (ref->path =3D=3D NULL) { <--- dead code! Also, perhaps the strcmp() you touched should really be moved below the NULL checks. --BRE3mIcgqKzpedwo Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJUGVPfAAoJEJykq7OBq3PIg3wH/j+AUXZVXuEDff4BuzfQ7dNx DanREKj0OkcGLeOQJ/7h1YFsV7QcCvl4i7sk77nShlKcLnn7PjPEEdP91CHMhBvz Cj0RRmfeJ86iLi5F5kK/Gyj+fQ8GhQkdGVhOsP+vFc9FkHHBDLCgcr16vW+svK1c ASg8Qy7dYdAgB8U7yHk5BycPRXSqf2P627b3y75LJ/+RGfnfC3hxoQu2osDxXoHl pMyUf+P17ct6ZiOJD3bxDCkWsDxF+2z8iVJmsKrPnJqAmi4kX6rBKkpcfohq7BHP cziTHdLNVhb7i/jN9TJjQ65nhQYpQV8bVnCWVSPx8kniFzJ4QCfz6/A187HSPqM= =epzQ -----END PGP SIGNATURE----- --BRE3mIcgqKzpedwo--