From: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
To: Chen Gang <gang.chen.5i5j@gmail.com>,
"Daniel P. Berrange" <berrange@redhat.com>
Cc: QEMU Developers <qemu-devel@nongnu.org>, aliguori@amazon.com
Subject: Re: [Qemu-devel] [PATCH] hw/9pfs/virtio-9p-local.c: use snprintf() instead of sprintf()
Date: Tue, 04 Feb 2014 21:48:30 +0530 [thread overview]
Message-ID: <87siry3l7t.fsf@linux.vnet.ibm.com> (raw)
In-Reply-To: <52F0CD67.5070601@gmail.com>
Chen Gang <gang.chen.5i5j@gmail.com> writes:
> On 02/04/2014 07:06 PM, Daniel P. Berrange wrote:
>> On Tue, Feb 04, 2014 at 07:02:18PM +0800, Chen Gang wrote:
>>> On 02/03/2014 06:39 PM, Chen Gang wrote:
>>>> On 02/03/2014 06:34 PM, Daniel P. Berrange wrote:
>>>>> On Mon, Feb 03, 2014 at 06:00:42PM +0800, Chen Gang wrote:
>>>>>> We can not assume "'path' + 'ctx->fs_root'" must be less than MAX_PATH,
>>>>>> so need use snprintf() instead of sprintf().
>>>>>>
>>>>>> And also recommend to use ARRAY_SIZE instead of hard code macro for an
>>>>>> array size in snprintf().
>>>>>
>>>>> In the event that there is overflow this will cause the data to be
>>>>> truncated, potentially causing QEMU to access the wrong file on the
>>>>> host. Both snprintf and sprintf are really bad because of their
>>>>> use of fixed buffers. Better to change it to g_strdup_printf which
>>>>> dynamically allocates buffers.
>>>>>
>>>
>>> After check the details, I guess we can not change to g_strdup_printf or
>>> others (e.g. v9fs_string_*).
>>>
>>> v9fs need use "mkdir, remove ..." which have MAX_PATH limitation. So if
>>> the combined path is longer than MAX_PATH, before it passes to "mkdir,
>>> remove ...", it has to be truncated just like what rpath() has done.
>>
>> I don't believe you are correct there. Those functions should
>> return "errno == ENAMETOOLONG - pathname was too long". The
>> MAX_PATH constant is not even required to exist in POSIX, so
>> I would not expect the spec to mandate anything about MAX_PATH
>> in relation to those functions.
>>
>
> So the original author of v9fs will use truncation instead of return
> failure to upper users.
That is a bug. The snprintf usage with PATH_MAX is to prevent buffer
overflow and not to truncate. I guess we should fix path handling
and propagate error correctly.
-aneesh
next prev parent reply other threads:[~2014-02-04 18:38 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-03 10:00 [Qemu-devel] [PATCH] hw/9pfs/virtio-9p-local.c: use snprintf() instead of sprintf() Chen Gang
2014-02-03 10:34 ` Daniel P. Berrange
2014-02-03 10:39 ` Chen Gang
2014-02-04 11:02 ` Chen Gang
2014-02-04 11:06 ` Daniel P. Berrange
2014-02-04 11:22 ` Chen Gang
2014-02-04 16:18 ` Aneesh Kumar K.V [this message]
2014-02-04 23:44 ` Chen Gang
2014-02-15 9:21 ` Chen Gang
2014-02-23 4:48 ` [Qemu-devel] [PATCH] hw/9pfs: use g_strdup_printf() instead of PATH_MAX limitation Chen Gang
2014-02-23 5:18 ` Chen Gang
2014-02-24 9:22 ` Markus Armbruster
2014-02-24 11:16 ` Gang Chen
2014-02-24 12:52 ` Markus Armbruster
2014-02-27 23:35 ` Chen Gang
2014-03-01 17:33 ` [Qemu-devel] [PATCH 0/3] hw/9pfs: fix 3 issues which related with path string Chen Gang
2014-03-01 17:34 ` [Qemu-devel] [PATCH 1/3] hw/9pfs/virtio-9p-local.c: move v9fs_string_free() to below "err_out:" Chen Gang
2014-03-01 17:35 ` [Qemu-devel] [PATCH 2/3] hw/9pfs/virtio-9p-local.c: use snprintf() instead of sprintf() Chen Gang
2014-03-01 17:36 ` [Qemu-devel] [PATCH 3/3] hw/9pfs: use g_strdup_printf() instead of PATH_MAX limitation Chen Gang
2014-03-03 8:34 ` Markus Armbruster
2014-03-03 10:51 ` Chen Gang
2014-03-03 16:22 ` Aneesh Kumar K.V
2014-03-03 19:29 ` Aneesh Kumar K.V
2014-03-04 0:27 ` Chen Gang
2014-03-03 8:34 ` [Qemu-devel] [PATCH 2/3] hw/9pfs/virtio-9p-local.c: use snprintf() instead of sprintf() Markus Armbruster
2014-03-03 10:54 ` Chen Gang
2014-03-03 14:42 ` Markus Armbruster
2014-03-04 0:38 ` Chen Gang
2014-03-03 15:33 ` Aneesh Kumar K.V
2014-03-03 15:33 ` Aneesh Kumar K.V
2014-03-03 15:29 ` [Qemu-devel] [PATCH 1/3] hw/9pfs/virtio-9p-local.c: move v9fs_string_free() to below "err_out:" Aneesh Kumar K.V
2014-03-04 0:11 ` Chen Gang
2014-03-03 17:43 ` [Qemu-devel] [PATCH 0/3] hw/9pfs: fix 3 issues which related with path string Eric Blake
2014-03-04 0:59 ` Chen Gang
2014-02-04 13:09 ` [Qemu-devel] [PATCH] hw/9pfs/virtio-9p-local.c: use snprintf() instead of sprintf() Eric Blake
2014-02-04 12:25 ` Markus Armbruster
2014-02-04 13:12 ` Eric Blake
2014-02-04 13:43 ` Chen Gang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87siry3l7t.fsf@linux.vnet.ibm.com \
--to=aneesh.kumar@linux.vnet.ibm.com \
--cc=aliguori@amazon.com \
--cc=berrange@redhat.com \
--cc=gang.chen.5i5j@gmail.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).