Re: [Qemu-devel] [PATCH] qdict: fix unbounded stack for qdict_array_entries

[Eric Blake <eblake@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 2354 bytes --]

On 03/09/2016 06:36 PM, Peter Xu wrote:
> Sorry to forgot CCing Eric/Markus/Kevin.
> 
> This patch title is not correct, which should be:
> 
> "Fix unbounded stack warning for qdict_array_entries"

Keep the 'qdict:' prefix, but yes, adding "warning" helps the commit
message.

> 
> Do I need to re-send with the same content?

For just the title adjustment, it's up to the maintainer.  Often, a
maintainer will make small changes like that before sending a pull request.

> 
> I'm using g_strdup_printf() here, considering it's most convenient,
> safe, and as long as it's called rarely only when quorum device
> opens.

On the other hand, this information might have been useful...

> 
> Thanks.
> Peter
> 
> On Wed, Mar 09, 2016 at 02:03:38PM +0800, Peter Xu wrote:
>> Signed-off-by: Peter Xu <peterx@redhat.com>

...in the commit body proper (explaining why you are always allocating,
because it is not a hot path).  So a v2 might indeed be easier.

>> +++ b/qobject/qdict.c
>> @@ -704,19 +704,16 @@ int qdict_array_entries(QDict *src, const char *subqdict)
>>      for (i = 0; i < INT_MAX; i++) {
>>          QObject *subqobj;
>>          int subqdict_entries;
>> -        size_t slen = 32 + subqdict_len;
>> -        char indexstr[slen], prefix[slen];
>> -        size_t snprintf_ret;
>> +        char *prefix = g_strdup_printf("%s%u.", subqdict, i);

If we were worried that this could be a hot path, you could add a %n and
&len here...

>>  
>> -        snprintf_ret = snprintf(indexstr, slen, "%s%u", subqdict, i);
>> -        assert(snprintf_ret < slen);
>> +        subqdict_entries = qdict_count_prefixed_entries(src, prefix);
>>  
>> -        subqobj = qdict_get(src, indexstr);
>> +        /* Remove ending "." */
>> +        prefix[strlen(prefix) - 1] = 0x00;

...to avoid the strlen() call here.  But this is not a hot path, and %n
always makes me worry about security, so I'm fine with your approach.

However, 0x00 is a rather verbose way of writing 0 (and even if you want
verbosity, '\0' is more idiomatic 0x00).

At this point, if you send a v2 with s/0x00/0/ and the improved commit
message, you can also include:
Reviewed-by: Eric Blake <eblake@redhat.com>

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 604 bytes --]