From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([140.186.70.92]:56306) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Qb6tf-0005FL-EW for qemu-devel@nongnu.org; Mon, 27 Jun 2011 04:10:20 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Qb6td-0008Mk-KU for qemu-devel@nongnu.org; Mon, 27 Jun 2011 04:10:19 -0400 Received: from mail-yw0-f45.google.com ([209.85.213.45]:34885) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Qb6td-0008Md-5u for qemu-devel@nongnu.org; Mon, 27 Jun 2011 04:10:17 -0400 Received: by ywb3 with SMTP id 3so2271453ywb.4 for ; Mon, 27 Jun 2011 01:10:16 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: References: <1309146518-8998-1-git-send-email-famcool@gmail.com> <1309146518-8998-10-git-send-email-famcool@gmail.com> Date: Mon, 27 Jun 2011 09:10:16 +0100 Message-ID: From: Stefan Hajnoczi Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [Qemu-devel] [PATCH v3 09/12] VMDK: open/read/write for monolithicFlat image List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Fam Zheng Cc: kwolf@redhat.com, qemu-devel@nongnu.org, hch@lst.de On Mon, Jun 27, 2011 at 8:00 AM, Fam Zheng wrote: > On Mon, Jun 27, 2011 at 12:54 PM, Stefan Hajnoczi wr= ote: >> On Mon, Jun 27, 2011 at 4:48 AM, Fam Zheng wrote: >>> Parse vmdk decriptor file and open mono flat image. >>> @@ -598,6 +600,154 @@ static int vmdk_open_vmdk4(BlockDriverState *bs, = int flags) >>> =A0 =A0 return ret; >>> =A0} >>> >>> +/* find an option value out of descriptor file */ >>> +static int vmdk_parse_description(const char *desc, const char *opt_na= me, >>> + =A0 =A0 =A0 =A0char *buf, int buf_size) >>> +{ >>> + =A0 =A0char *opt_pos =3D strstr(desc, opt_name); >>> + =A0 =A0int r; >>> + =A0 =A0const char *end =3D desc + strlen(desc); >>> + >>> + =A0 =A0if (!opt_pos) { >>> + =A0 =A0 =A0 =A0return -1; >>> + =A0 =A0} >>> + =A0 =A0opt_pos +=3D strlen(opt_name) + 2; >>> + =A0 =A0if (opt_pos >=3D end) { >>> + =A0 =A0 =A0 =A0return -1; >>> + =A0 =A0} >>> + =A0 =A0r =3D sscanf(opt_pos, "%[^\"]s", buf); >>> + =A0 =A0return r <=3D 0; >>> +} >> >> This is still unsafe. =A0Please see my comments on the previous version >> of this patch. > How about this: > > static int vmdk_parse_description(const char *desc, const char *opt_name, > =A0 =A0 =A0 =A0char *buf, int buf_size) > { > =A0 =A0char *opt_pos, *opt_end; > =A0 =A0const char *end =3D desc + strlen(desc); Already game over here because desc is not NUL-terminated. Either make desc NUL-terminated or add a desc_size argument. > > =A0 =A0opt_pos =3D strstr(desc, opt_name); And again here. > =A0 =A0if (!opt_pos) { > =A0 =A0 =A0 =A0return -1; > =A0 =A0} > =A0 =A0/* Skip "=3D\"" following opt_name */ > =A0 =A0opt_pos +=3D strlen(opt_name) + 2; > =A0 =A0if (opt_pos >=3D end) { > =A0 =A0 =A0 =A0return -1; > =A0 =A0} > =A0 =A0opt_end =3D opt_pos; > =A0 =A0while (opt_end < end && *opt_end !=3D '"') { > =A0 =A0 =A0 =A0opt_end++; > =A0 =A0} > =A0 =A0if (opt_end =3D=3D end || buf_size < opt_end - opt_pos + 1) { > =A0 =A0 =A0 =A0return -1; > =A0 =A0} > =A0 =A0strncpy(buf, opt_pos, opt_end - opt_pos); > =A0 =A0buf[opt_end - opt_pos] =3D '\0'; cutils.c:pstrcpy() is easier to use than strncpy(), no need for the explicit NUL-termination. Stefan