From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:36802)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <pbonzini@redhat.com>) id 1adGlX-0005Wk-Ja
	for qemu-devel@nongnu.org; Tue, 08 Mar 2016 07:29:32 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <pbonzini@redhat.com>) id 1adGlT-00012Z-Bm
	for qemu-devel@nongnu.org; Tue, 08 Mar 2016 07:29:31 -0500
Received: from mx1.redhat.com ([209.132.183.28]:54452)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <pbonzini@redhat.com>) id 1adGlT-00012Q-6I
	for qemu-devel@nongnu.org; Tue, 08 Mar 2016 07:29:27 -0500
References: <1457420446-25276-1-git-send-email-peterx@redhat.com>
	<1457420446-25276-9-git-send-email-peterx@redhat.com>
From: Paolo Bonzini <pbonzini@redhat.com>
Message-ID: <56DEC5A1.6080908@redhat.com>
Date: Tue, 8 Mar 2016 13:29:21 +0100
MIME-Version: 1.0
In-Reply-To: <1457420446-25276-9-git-send-email-peterx@redhat.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH 8/8] hw/i386: fix unbounded stack for
	load_multiboot
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Peter Xu <peterx@redhat.com>, qemu-devel@nongnu.org
Cc: "Michael S. Tsirkin" <mst@redhat.com>, Eduardo Habkost <ehabkost@redhat.com>, Richard Henderson <rth@twiddle.net>



On 08/03/2016 08:00, Peter Xu wrote:
> @@ -159,6 +159,12 @@ int load_multiboot(FWCfgState *fw_cfg,
>      uint8_t *mb_bootinfo_data;
>      uint32_t cmdline_len;
>  
> +#define __KERN_FNAME_LEN (1024)
> +#define __KERN_CMDLINE_LEN (4096)
> +
> +    assert(strlen(kernel_filename) + 1 >= __KERN_FNAME_LEN);
> +    assert(strlen(kernel_cmdline) + 1 >= __KERN_CMDLINE_LEN);
> +
>      /* Ok, let's see if it is a multiboot image.
>         The header is 12x32bit long, so the latest entry may be 8192 - 48. */
>      for (i = 0; i < (8192 - 48); i += 4) {
> @@ -324,7 +330,7 @@ int load_multiboot(FWCfgState *fw_cfg,
>      }
>  
>      /* Commandline support */
> -    char kcmdline[strlen(kernel_filename) + strlen(kernel_cmdline) + 2];
> +    char kcmdline[__KERN_FNAME_LEN + __KERN_CMDLINE_LEN];
>      snprintf(kcmdline, sizeof(kcmdline), "%s %s",
>               kernel_filename, kernel_cmdline);
>      stl_p(bootinfo + MBI_CMDLINE, mb_add_cmdline(&mbs, kcmdline));
> @@ -370,4 +376,6 @@ int load_multiboot(FWCfgState *fw_cfg,
>      nb_option_roms++;
>  
>      return 1; /* yes, we are multiboot */
> +#undef __KERN_FNAME_LEN
> +#undef __KERN_CMDLINE_LEN

Just put it in the heap using g_strdup_printf.

Paolo