From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:46498)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <famz@redhat.com>) id 1adDOn-0002lX-T5
	for qemu-devel@nongnu.org; Tue, 08 Mar 2016 03:53:50 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <famz@redhat.com>) id 1adDOm-0006MN-TF
	for qemu-devel@nongnu.org; Tue, 08 Mar 2016 03:53:49 -0500
Date: Tue, 8 Mar 2016 16:53:37 +0800
From: Fam Zheng <famz@redhat.com>
Message-ID: <20160308085337.GA26071@ad.usersys.redhat.com>
References: <1457420446-25276-1-git-send-email-peterx@redhat.com>
	<1457420446-25276-3-git-send-email-peterx@redhat.com>
	<87twkhe6bm.fsf@blackfin.pond.sub.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <87twkhe6bm.fsf@blackfin.pond.sub.org>
Subject: Re: [Qemu-devel] [PATCH 2/8] block: fix unbounded stack for
 dump_qdict
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Markus Armbruster <armbru@redhat.com>
Cc: Kevin Wolf <kwolf@redhat.com>, pbonzini@redhat.com, qemu-block@nongnu.org, qemu-devel@nongnu.org, Peter Xu <peterx@redhat.com>

On Tue, 03/08 09:12, Markus Armbruster wrote:
> Peter Xu <peterx@redhat.com> writes:
> 
> > Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
> > CC: Markus Armbruster <armbru@redhat.com>
> > CC: Kevin Wolf <kwolf@redhat.com>
> > CC: qemu-block@nongnu.org
> > Signed-off-by: Peter Xu <peterx@redhat.com>
> > ---
> >  block/qapi.c | 5 ++++-
> >  1 file changed, 4 insertions(+), 1 deletion(-)
> >
> > diff --git a/block/qapi.c b/block/qapi.c
> > index db2d3fb..687e577 100644
> > --- a/block/qapi.c
> > +++ b/block/qapi.c
> > @@ -638,9 +638,12 @@ static void dump_qdict(fprintf_function func_fprintf, void *f, int indentation,
> >          QType type = qobject_type(entry->value);
> >          bool composite = (type == QTYPE_QDICT || type == QTYPE_QLIST);
> >          const char *format = composite ? "%*s%s:\n" : "%*s%s: ";
> 
> Unrelated to your patch: ugh!
> 
> Printf formats should be literals whenever possible, to make it easy for
> the compiler to warn you when you screw up.  It's trivially possible
> here!  Instead of
> 
>            func_fprintf(f, format, indentation * 4, "", key);
> 
> do
> 
>            func_fprintf(f, "%*s%s:%c", indentation * 4, "", key,
>                         composite ? '\n', ' ');;
> 
> > -        char key[strlen(entry->key) + 1];
> > +#define __KEY_LEN (256)
> > +        char key[__KEY_LEN];
> >          int i;
> >  
> > +        assert(strlen(entry->key) + 1 <= __KEY_LEN);
> > +#undef __KEY_LEN
> >          /* replace dashes with spaces in key (variable) names */
> >          for (i = 0; entry->key[i]; i++) {
> >              key[i] = entry->key[i] == '-' ? ' ' : entry->key[i];
> 
> I'm afraid this isn't a good idea.  It relies on the non-local argument
> that nobody will ever put a key longer than 255 into a qdict that gets
> dumped.  That may even be the case, but you need to *prove* it, not just
> assert it.  The weakest acceptable proof might be assertions in every
> place that put keys into a dict that might get dumped.  I suspect that's
> practical and maintainable only if there's a single place that does it.
> 
> If this was a good idea, I'd recommend to avoid the awkward macro:

Also I think the double underscore identifiers are considered reserved in C,
no?

> 
>            char key[256];
>            int i;
>    
>            assert(strlen(entry->key) + 1 <= ARRAY_SIZE(key));
> 

<...>

Fam