From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:33951)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <zhang.zhanghailiang@huawei.com>) id 1XUb3Q-0000eD-Cl
	for qemu-devel@nongnu.org; Thu, 18 Sep 2014 08:43:28 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <zhang.zhanghailiang@huawei.com>) id 1XUb3L-0004gV-Me
	for qemu-devel@nongnu.org; Thu, 18 Sep 2014 08:43:20 -0400
Message-ID: <541AD33A.1040309@huawei.com>
Date: Thu, 18 Sep 2014 20:42:34 +0800
From: zhanghailiang <zhang.zhanghailiang@huawei.com>
MIME-Version: 1.0
References: <1411011222-5116-1-git-send-email-zhang.zhanghailiang@huawei.com>
	<541ACD75.1040708@redhat.com>
In-Reply-To: <541ACD75.1040708@redhat.com>
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH] qga: Fix possible freed memory accessing
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Eric Blake <eblake@redhat.com>, qemu-devel@nongnu.org
Cc: mdroth@linux.vnet.ibm.com, armbru@redhat.com, luonengjun@huawei.com, peter.huangpeng@huawei.com, qemu-stable@nongnu.org, lcapitulino@redhat.com

On 2014/9/18 20:17, Eric Blake wrote:
> On 09/17/2014 09:33 PM, zhanghailiang wrote:
>> If readdir_r fails, error_setg_errno will reference the freed
>> pointer *dirpath*.
>>
>> Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
>> ---
>>   qga/commands-posix.c | 10 ++++++----
>>   1 file changed, 6 insertions(+), 4 deletions(-)
>
>>       for (;;) {
>>           if (readdir_r(dir, &entry, &result) != 0) {
>
> Eww.  We're using readdir_r?  That's an inherently broken interface,
> which can risk buffer overflow.  readdir should be preferred.
>
> http://austingroupbugs.net/view.php?id=696
>

Yes, it is! Should i fix it in this patch together?;)

Thanks,
zhanghailiang