From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46311) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aHW1W-00034v-4S for qemu-devel@nongnu.org; Fri, 08 Jan 2016 07:20:06 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aHW1S-0005WN-4U for qemu-devel@nongnu.org; Fri, 08 Jan 2016 07:20:06 -0500 Received: from mx1.redhat.com ([209.132.183.28]:59917) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aHW1R-0005W3-Vw for qemu-devel@nongnu.org; Fri, 08 Jan 2016 07:20:02 -0500 Date: Fri, 8 Jan 2016 17:49:51 +0530 (IST) From: P J P In-Reply-To: <20160108091949.GA14724@olga> Message-ID: References: <20160108091949.GA14724@olga> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Subject: Re: [Qemu-devel] [PATCH] hmp: avoid redundant null termination of buffer List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Wolfgang Bumiller Cc: qemu-devel@nongnu.org, Ling Liu Hello, +-- On Fri, 8 Jan 2016, Wolfgang Bumiller wrote --+ | > if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) { | > pstrcpy(keyname_buf, sizeof(keyname_buf), "less"); | > - keyname_len = 4; | | keyname_buf is a char[16] so 4 will not overflow it. | | > } | > - keyname_buf[keyname_len] = 0; | | This last write is also used to separate combined keys, so removing | this write breaks commands such as `sendkeys ctrl-f1`. | Better add a -1 to the sizeof()s? | | Come to think of it, when is this really an OOB write? | Given where keyname_len comes from: | | | separator = strchr(keys, '-'); | | keyname_len = separator ? separator - keys : strlen(keys); The OOB issue occurs when there is no separator, and strlen(keys) is longer than '16' characters. In that case, "keyname_buf[keyname_len] = 0;" writes beyond the 'keyname_buf' array. It's removed because 'pstrcpy()' routine also null terminates the buffer. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F