From: Paolo Bonzini <pbonzini@redhat.com>
To: Stefan Hajnoczi <stefanha@gmail.com>
Cc: famz@redhat.com, qemu-devel@nongnu.org, qemu-block@nongnu.org
Subject: Re: [Qemu-devel] [Qemu-block] [PATCH 09/10] scsi: add multipath support to qemu-pr-helper
Date: Mon, 11 Sep 2017 11:14:31 +0200 [thread overview]
Message-ID: <49202119-02f9-af09-6a69-5360e747f91f@redhat.com> (raw)
In-Reply-To: <20170830163750.GY24565@stefanha-x1.localdomain>
On 30/08/2017 18:37, Stefan Hajnoczi wrote:
>
> The case statements asssume sz has a certain minimum value. I didn't
> see a check anywhere that guarantees this. It may be easier to hide the
> client's sz value and instead use sizeof(client->data). The caller can
> worry about sz.
Makes sense. OUT needs the client sz, but IN doesn't and it gets in the
way. This lets me just assert in multipath_pr_in that sz is large enough.
>> + /* Convert input data, especially transport IDs, to the structs
>> + * used by libmpathpersist (which, of course, will immediately
>> + * do the opposite).
>> + */
>> + memset(¶mp, 0, sizeof(paramp));
>> + memcpy(¶mp.key, ¶m[0], 8);
>> + memcpy(¶mp.sa_key, ¶m[8], 8);
>> + paramp.sa_flags = param[10];
>> + for (i = PR_OUT_FIXED_PARAM_SIZE, j = 0; i < sz; ) {
>> + struct transportid *id = (struct transportid *) &transportids[j];
>> + int len;
>> +
>> + id->format_code = param[i] & 0xc0;
>> + id->protocol_id = param[i] & 0x0f;
>> + switch (param[i] & 0xcf) {
> At this point we know sz > PR_OUT_FIXED_PARAM_SIZE && i < sz. I think
> the following case statements can read beyond the end of client->data[]
> because nothing checks sz before accessing param[].
>
> Missing sz checks?
There is a transport id length field that has to be checked against sz,
indeed. After doing that, the for loop is fine (though the initial
index is wrong, because PR_OUT_FIXED_PARAM_SIZE points to the length
field and the transport ids are at PR_OUT_FIXED_PARAM_SIZE + 4).
>> + /* iSCSI transport. */
>> + len = lduw_be_p(¶m[i + 2]);
>> + if (len > 252 || (len & 3)) {
>
> int len can be negative here . Please use the size_t type - it's
> unsigned and used by memchr(3)/memcpy(3).
Can it? lduw_be_p reads 16 bits (and it's unsigned as the name says).
Paolo
next prev parent reply other threads:[~2017-09-11 9:14 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-22 13:18 [Qemu-devel] [RFC PATCH 00/10] scsi, block: introduce persistent reservation managers Paolo Bonzini
2017-08-22 13:18 ` [Qemu-devel] [PATCH 01/10] scsi: rename scsi_convert_sense Paolo Bonzini
2017-08-22 13:38 ` Philippe Mathieu-Daudé
2017-08-22 13:18 ` [Qemu-devel] [PATCH 02/10] scsi: move non-emulation specific code to scsi/ Paolo Bonzini
2017-08-22 13:34 ` Philippe Mathieu-Daudé
2017-08-22 13:18 ` [Qemu-devel] [PATCH 03/10] scsi: introduce scsi_build_sense Paolo Bonzini
2017-08-22 13:35 ` Philippe Mathieu-Daudé
2017-08-30 13:39 ` Stefan Hajnoczi
2017-08-22 13:18 ` [Qemu-devel] [PATCH 04/10] scsi: introduce sg_io_sense_from_errno Paolo Bonzini
2017-08-22 13:45 ` Philippe Mathieu-Daudé
2017-08-22 13:53 ` Paolo Bonzini
2017-08-30 13:41 ` Stefan Hajnoczi
2017-08-22 13:18 ` [Qemu-devel] [PATCH 05/10] scsi: move block/scsi.h to include/scsi/constants.h Paolo Bonzini
2017-08-22 13:37 ` Philippe Mathieu-Daudé
2017-08-30 13:41 ` Stefan Hajnoczi
2017-08-22 13:18 ` [Qemu-devel] [PATCH 06/10] scsi, file-posix: add support for persistent reservation management Paolo Bonzini
2017-08-23 4:13 ` Fam Zheng
2017-08-23 6:56 ` Paolo Bonzini
2017-08-24 15:37 ` Eric Blake
2017-08-24 15:47 ` Paolo Bonzini
2017-08-30 12:59 ` Daniel P. Berrange
2017-08-30 14:26 ` [Qemu-devel] [Qemu-block] " Stefan Hajnoczi
2017-08-22 13:18 ` [Qemu-devel] [PATCH 07/10] io: add qio_channel_read/write_all Paolo Bonzini
2017-08-23 5:08 ` Fam Zheng
2017-08-23 6:54 ` Paolo Bonzini
2017-08-30 12:52 ` Daniel P. Berrange
2017-08-30 14:33 ` [Qemu-devel] [Qemu-block] " Stefan Hajnoczi
2017-08-22 13:18 ` [Qemu-devel] [PATCH 08/10] scsi: build qemu-pr-helper Paolo Bonzini
2017-08-22 14:34 ` Marc-André Lureau
2017-08-22 16:04 ` Paolo Bonzini
2017-08-24 15:45 ` Eric Blake
2017-08-30 15:44 ` [Qemu-devel] [Qemu-block] " Stefan Hajnoczi
2017-08-30 16:06 ` Stefan Hajnoczi
2017-08-22 13:18 ` [Qemu-devel] [PATCH 09/10] scsi: add multipath support to qemu-pr-helper Paolo Bonzini
2017-08-23 5:01 ` Fam Zheng
2017-08-23 6:50 ` Paolo Bonzini
2017-08-30 16:06 ` Stefan Hajnoczi
2017-08-30 16:37 ` Stefan Hajnoczi
2017-09-11 9:14 ` Paolo Bonzini [this message]
2017-08-22 13:18 ` [Qemu-devel] [PATCH 10/10] scsi: add persistent reservation manager using qemu-pr-helper Paolo Bonzini
2017-08-23 4:49 ` Fam Zheng
2017-08-23 6:55 ` Paolo Bonzini
2017-08-23 7:48 ` Paolo Bonzini
2017-08-30 16:58 ` [Qemu-devel] [Qemu-block] " Stefan Hajnoczi
2017-08-22 13:48 ` [Qemu-devel] [RFC PATCH 00/10] scsi, block: introduce persistent reservation managers no-reply
2017-08-22 13:50 ` no-reply
2017-08-22 13:50 ` no-reply
2017-08-22 13:51 ` no-reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49202119-02f9-af09-6a69-5360e747f91f@redhat.com \
--to=pbonzini@redhat.com \
--cc=famz@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).