From: Michael Roth <mdroth@linux.vnet.ibm.com>
To: qemu-devel@nongnu.org
Cc: Samuel Thibault <samuel.thibault@ens-lyon.org>,
secalert@redhat.com, qemu-stable@nongnu.org,
William Bowling <will@wbowling.info>
Subject: [Qemu-devel] [PATCH 14/36] slirp: check sscanf result when emulating ident
Date: Tue, 23 Jul 2019 12:00:42 -0500 [thread overview]
Message-ID: <20190723170104.4327-15-mdroth@linux.vnet.ibm.com> (raw)
In-Reply-To: <20190723170104.4327-1-mdroth@linux.vnet.ibm.com>
From: William Bowling <will@wbowling.info>
When emulating ident in tcp_emu, if the strchr checks passed but the
sscanf check failed, two uninitialized variables would be copied and
sent in the reply, so move this code inside the if(sscanf()) clause.
Signed-off-by: William Bowling <will@wbowling.info>
Cc: qemu-stable@nongnu.org
Cc: secalert@redhat.com
Message-Id: <1551476756-25749-1-git-send-email-will@wbowling.info>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
(cherry picked from commit d3222975c7d6cda9e25809dea05241188457b113)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
slirp/tcp_subr.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
index fa61349cbb..c27e0d158d 100644
--- a/slirp/tcp_subr.c
+++ b/slirp/tcp_subr.c
@@ -657,12 +657,12 @@ tcp_emu(struct socket *so, struct mbuf *m)
break;
}
}
+ so_rcv->sb_cc = snprintf(so_rcv->sb_data,
+ so_rcv->sb_datalen,
+ "%d,%d\r\n", n1, n2);
+ so_rcv->sb_rptr = so_rcv->sb_data;
+ so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
}
- so_rcv->sb_cc = snprintf(so_rcv->sb_data,
- so_rcv->sb_datalen,
- "%d,%d\r\n", n1, n2);
- so_rcv->sb_rptr = so_rcv->sb_data;
- so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
}
m_free(m);
return 0;
--
2.17.1
next prev parent reply other threads:[~2019-07-23 17:03 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-23 17:00 [Qemu-devel] [PATCH 00/36] Patch Round-up for stable 3.1.1, freeze on 2019-07-29 Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 01/36] i2c: Move typedef of bitbang_i2c_interface to i2c.h Michael Roth
2019-07-23 18:57 ` BALATON Zoltan
2019-07-23 19:01 ` Thomas Huth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 02/36] iotests: make 235 work on s390 (and others) Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 03/36] Changes requirement for "vsubsbs" instruction Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 04/36] pcie: set link state inactive/active after hot unplug/plug Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 05/36] pc:piix4: Update smbus I/O space after a migration Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 06/36] hw/s390x: Fix bad mask in time2tod() Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 07/36] linux-user: make pwrite64/pread64(fd, NULL, 0, offset) return 0 Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 08/36] s390x: Return specification exception for unimplemented diag 308 subcodes Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 09/36] exec.c: Don't reallocate IOMMUNotifiers that are in use Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 10/36] tpm: Make sure new locality passed to tpm_tis_prep_abort() is valid Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 11/36] tpm: Make sure the locality received from backend " Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 12/36] block: Fix invalidate_cache error path for parent activation Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 13/36] hw/rdma: another clang compilation fix Michael Roth
2019-07-23 17:00 ` Michael Roth [this message]
2019-07-23 17:00 ` [Qemu-devel] [PATCH 15/36] tpm_tis: fix loop that cancels any seizure by a lower locality Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 16/36] vfio-ap: flag as compatible with balloon Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 17/36] i386: remove the new CPUID 'PCONFIG' from Icelake-Server CPU model Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 18/36] i386: remove the 'INTEL_PT' CPUID bit from named CPU models Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 19/36] json: Fix % handling when not interpolating Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 20/36] qga-win: include glib when building VSS DLL Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 21/36] configure: improve usbfs check Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 22/36] mac_oldworld: use node name instead of alias name for hd device in FWPathProvider Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 23/36] mac_newworld: " Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 24/36] qga: update docs with systemd suspend support info Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 25/36] usb-mtp: use O_NOFOLLOW and O_CLOEXEC Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 26/36] qemu-img: fix error reporting for -object Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 27/36] qcow2: Avoid COW during metadata preallocation Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 28/36] cutils: Fix size_to_str() on 32-bit platforms Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 29/36] block: Fix AioContext switch for bs->drv == NULL Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 30/36] do not call vhost_net_cleanup() on running net from char user event Michael Roth
2019-07-23 17:00 ` [Qemu-devel] [PATCH 31/36] s390x/cpumodel: ignore csske for expansion Michael Roth
2019-07-23 17:01 ` [Qemu-devel] [PATCH 32/36] megasas: fix mapped frame size Michael Roth
2019-07-23 17:01 ` [Qemu-devel] [PATCH 33/36] iotests: Filter second BLOCK_JOB_ERROR from 229 Michael Roth
2019-07-23 17:01 ` [Qemu-devel] [PATCH 34/36] block/file-posix: Unaligned O_DIRECT block-status Michael Roth
2019-07-23 17:01 ` [Qemu-devel] [PATCH 35/36] iotests: Test unaligned raw images with O_DIRECT Michael Roth
2019-07-23 17:01 ` [Qemu-devel] [PATCH 36/36] vhost: fix vhost_log size overflow during migration Michael Roth
2019-07-23 17:12 ` [Qemu-devel] [PATCH 00/36] Patch Round-up for stable 3.1.1, freeze on 2019-07-29 Aleksandar Markovic
2019-07-23 18:52 ` Michael Roth
2019-07-23 18:50 ` [Qemu-devel] [Qemu-stable] " Michael Roth
2019-07-24 13:21 ` Philippe Mathieu-Daudé
2019-08-02 17:54 ` Philippe Mathieu-Daudé
2019-07-24 17:07 ` Cole Robinson
2019-07-29 20:13 ` Bruce Rogers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190723170104.4327-15-mdroth@linux.vnet.ibm.com \
--to=mdroth@linux.vnet.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=samuel.thibault@ens-lyon.org \
--cc=secalert@redhat.com \
--cc=will@wbowling.info \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).