From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1Ly7bx-0000tU-9O for qemu-devel@nongnu.org; Sun, 26 Apr 2009 12:53:49 -0400 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1Ly7bs-0000sW-MN for qemu-devel@nongnu.org; Sun, 26 Apr 2009 12:53:49 -0400 Received: from [199.232.76.173] (port=57718 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Ly7bs-0000sT-GB for qemu-devel@nongnu.org; Sun, 26 Apr 2009 12:53:44 -0400 Received: from fmmailgate02.web.de ([217.72.192.227]:35633) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1Ly7br-0002No-Jq for qemu-devel@nongnu.org; Sun, 26 Apr 2009 12:53:44 -0400 Message-ID: <49F49196.30409@web.de> Date: Sun, 26 Apr 2009 18:53:42 +0200 From: Jan Kiszka MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig62824FB1635D6F43CD934104" Sender: jan.kiszka@web.de Subject: [Qemu-devel] [PATCH] net: Fix -net socket parameter checks List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Anthony Liguori Cc: qemu-devel This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig62824FB1635D6F43CD934104 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable My commit ea053add700d8abe203cd79a9ffb082aee4eabc0 broke -net socket by overwriting an intermediate buffer in the added check_param. Fix this by switching check_param to automatic buffer allocation and release, ie. callers no longer have to worry about providing a scratch buffer. Signed-off-by: Jan Kiszka --- net.c | 20 ++++++++++---------- sysemu.h | 3 +-- vl.c | 38 +++++++++++++++++++++++++++----------- 3 files changed, 38 insertions(+), 23 deletions(-) diff --git a/net.c b/net.c index db2f8d3..dcd27fe 100644 --- a/net.c +++ b/net.c @@ -1791,7 +1791,7 @@ int net_client_init(const char *device, const char = *p) uint8_t *macaddr; int idx =3D nic_get_free_idx(); =20 - if (check_params(buf, sizeof(buf), nic_params, p) < 0) { + if (check_params(nic_params, p) < 0) { fprintf(stderr, "qemu: invalid parameter '%s' in '%s'\n", buf, p); return -1; @@ -1842,7 +1842,7 @@ int net_client_init(const char *device, const char = *p) static const char * const slirp_params[] =3D { "vlan", "name", "hostname", "restrict", "ip", NULL }; - if (check_params(buf, sizeof(buf), slirp_params, p) < 0) { + if (check_params(slirp_params, p) < 0) { fprintf(stderr, "qemu: invalid parameter '%s' in '%s'\n", buf, p); return -1; @@ -1893,7 +1893,7 @@ int net_client_init(const char *device, const char = *p) }; char ifname[64]; =20 - if (check_params(buf, sizeof(buf), tap_params, p) < 0) { + if (check_params(tap_params, p) < 0) { fprintf(stderr, "qemu: invalid parameter '%s' in '%s'\n", buf, p); return -1; @@ -1914,7 +1914,7 @@ int net_client_init(const char *device, const char = *p) int fd; vlan->nb_host_devs++; if (get_param_value(buf, sizeof(buf), "fd", p) > 0) { - if (check_params(buf, sizeof(buf), fd_params, p) < 0) { + if (check_params(fd_params, p) < 0) { fprintf(stderr, "qemu: invalid parameter '%s' in '%s'\n"= , buf, p); return -1; @@ -1927,7 +1927,7 @@ int net_client_init(const char *device, const char = *p) static const char * const tap_params[] =3D { "vlan", "name", "ifname", "script", "downscript", NULL }; - if (check_params(buf, sizeof(buf), tap_params, p) < 0) { + if (check_params(tap_params, p) < 0) { fprintf(stderr, "qemu: invalid parameter '%s' in '%s'\n"= , buf, p); return -1; @@ -1948,7 +1948,7 @@ int net_client_init(const char *device, const char = *p) if (!strcmp(device, "socket")) { if (get_param_value(buf, sizeof(buf), "fd", p) > 0) { int fd; - if (check_params(buf, sizeof(buf), fd_params, p) < 0) { + if (check_params(fd_params, p) < 0) { fprintf(stderr, "qemu: invalid parameter '%s' in '%s'\n"= , buf, p); return -1; @@ -1961,7 +1961,7 @@ int net_client_init(const char *device, const char = *p) static const char * const listen_params[] =3D { "vlan", "name", "listen", NULL }; - if (check_params(buf, sizeof(buf), listen_params, p) < 0) { + if (check_params(listen_params, p) < 0) { fprintf(stderr, "qemu: invalid parameter '%s' in '%s'\n"= , buf, p); return -1; @@ -1971,7 +1971,7 @@ int net_client_init(const char *device, const char = *p) static const char * const connect_params[] =3D { "vlan", "name", "connect", NULL }; - if (check_params(buf, sizeof(buf), connect_params, p) < 0) {= + if (check_params(connect_params, p) < 0) { fprintf(stderr, "qemu: invalid parameter '%s' in '%s'\n"= , buf, p); return -1; @@ -1981,7 +1981,7 @@ int net_client_init(const char *device, const char = *p) static const char * const mcast_params[] =3D { "vlan", "name", "mcast", NULL }; - if (check_params(buf, sizeof(buf), mcast_params, p) < 0) { + if (check_params(mcast_params, p) < 0) { fprintf(stderr, "qemu: invalid parameter '%s' in '%s'\n"= , buf, p); return -1; @@ -2002,7 +2002,7 @@ int net_client_init(const char *device, const char = *p) char vde_sock[1024], vde_group[512]; int vde_port, vde_mode; =20 - if (check_params(buf, sizeof(buf), vde_params, p) < 0) { + if (check_params(vde_params, p) < 0) { fprintf(stderr, "qemu: invalid parameter '%s' in '%s'\n", buf, p); return -1; diff --git a/sysemu.h b/sysemu.h index 50438a6..9bb9fbc 100644 --- a/sysemu.h +++ b/sysemu.h @@ -257,7 +257,6 @@ const char *get_opt_name(char *buf, int buf_size, con= st char *p, char delim); const char *get_opt_value(char *buf, int buf_size, const char *p); int get_param_value(char *buf, int buf_size, const char *tag, const char *str); -int check_params(char *buf, int buf_size, - const char * const *params, const char *str); +int check_params(const char * const *params, const char *str); =20 #endif diff --git a/vl.c b/vl.c index a210b6c..1fe39e5 100644 --- a/vl.c +++ b/vl.c @@ -1866,29 +1866,45 @@ int get_param_value(char *buf, int buf_size, return 0; } =20 -int check_params(char *buf, int buf_size, - const char * const *params, const char *str) +int check_params(const char * const *params, const char *str) { + int name_buf_size =3D 1; const char *p; - int i; + char *name_buf; + int i, len; + int ret =3D 0; + + for (i =3D 0; params[i] !=3D NULL; i++) { + len =3D strlen(params[i]) + 1; + if (len > name_buf_size) { + name_buf_size =3D len; + } + } + name_buf =3D qemu_malloc(name_buf_size); =20 p =3D str; while (*p !=3D '\0') { - p =3D get_opt_name(buf, buf_size, p, '=3D'); - if (*p !=3D '=3D') - return -1; + p =3D get_opt_name(name_buf, name_buf_size, p, '=3D'); + if (*p !=3D '=3D') { + ret =3D -1; + break; + } p++; for(i =3D 0; params[i] !=3D NULL; i++) - if (!strcmp(params[i], buf)) + if (!strcmp(params[i], name_buf)) break; - if (params[i] =3D=3D NULL) - return -1; + if (params[i] =3D=3D NULL) { + ret =3D -1; + break; + } p =3D get_opt_value(NULL, 0, p); if (*p !=3D ',') break; p++; } - return 0; + + qemu_free(name_buf); + return ret; } =20 /***********************************************************/ @@ -2241,7 +2257,7 @@ int drive_init(struct drive_opt *arg, int snapshot,= void *opaque) "cache", "format", "serial", = "werror", NULL }; =20 - if (check_params(buf, sizeof(buf), params, str) < 0) { + if (check_params(params, str) < 0) { fprintf(stderr, "qemu: unknown parameter '%s' in '%s'\n", buf, str); return -1; --------------enig62824FB1635D6F43CD934104 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAkn0kZYACgkQniDOoMHTA+mMwwCfb7TlGpPrC5Zfp86o5jgctcdn VakAn0VPdP70wqNarO4BGZNKxHgef6+8 =Lc4t -----END PGP SIGNATURE----- --------------enig62824FB1635D6F43CD934104--