From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:55457)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <agraf@suse.de>) id 1Xdguv-0003fF-7R
	for qemu-devel@nongnu.org; Mon, 13 Oct 2014 10:48:17 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <agraf@suse.de>) id 1Xdgun-0006ib-OY
	for qemu-devel@nongnu.org; Mon, 13 Oct 2014 10:48:09 -0400
Message-ID: <543BE616.1000707@suse.de>
Date: Mon, 13 Oct 2014 16:47:50 +0200
From: Alexander Graf <agraf@suse.de>
MIME-Version: 1.0
References: <543BE352.3080609@gmail.com>
In-Reply-To: <543BE352.3080609@gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH] target-ppc: kvm: Fix memory overflow issue
	about strncat()
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Chen Gang <gang.chen.5i5j@gmail.com>, pbonzini@redhat.com
Cc: qemu-trivial@nongnu.org, qemu-ppc@nongnu.org, qemu-devel <qemu-devel@nongnu.org>, kvm@vger.kernel.org



On 13.10.14 16:36, Chen Gang wrote:
> strncat() will append additional '\0' to destination buffer, so need
> additional 1 byte for it, or may cause memory overflow, just like other
> area within QEMU have done.
> 
> Signed-off-by: Chen Gang <gang.chen.5i5j@gmail.com>

I agree with this patch. However, the code is pretty ugly - I'm sure it
must've been me who wrote it :).

Could you please instead rewrite it to use g_strdup_printf() rather than
strncat()s? That way we resolve all string pitfalls automatically - and
this code is not the fast path, so doing an extra memory allocation is ok.


Alex

> ---
>  target-ppc/kvm.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/target-ppc/kvm.c b/target-ppc/kvm.c
> index 9c23c6b..66e7ce5 100644
> --- a/target-ppc/kvm.c
> +++ b/target-ppc/kvm.c
> @@ -1794,8 +1794,8 @@ static uint64_t kvmppc_read_int_cpu_dt(const char *propname)
>          return -1;
>      }
>  
> -    strncat(buf, "/", sizeof(buf) - strlen(buf));
> -    strncat(buf, propname, sizeof(buf) - strlen(buf));
> +    strncat(buf, "/", sizeof(buf) - strlen(buf) - 1);
> +    strncat(buf, propname, sizeof(buf) - strlen(buf) - 1);
>  
>      f = fopen(buf, "rb");
>      if (!f) {
>