From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:44994)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <riku.voipio@linaro.org>) id 1bVJQa-0003XY-Uj
	for qemu-devel@nongnu.org; Thu, 04 Aug 2016 10:15:17 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <riku.voipio@linaro.org>) id 1bVJQW-0000St-8x
	for qemu-devel@nongnu.org; Thu, 04 Aug 2016 10:15:15 -0400
Received: from mail-lf0-x232.google.com ([2a00:1450:4010:c07::232]:36462)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <riku.voipio@linaro.org>) id 1bVJQW-0000Sp-1H
	for qemu-devel@nongnu.org; Thu, 04 Aug 2016 10:15:12 -0400
Received: by mail-lf0-x232.google.com with SMTP id g62so183000700lfe.3
	for <qemu-devel@nongnu.org>; Thu, 04 Aug 2016 07:15:11 -0700 (PDT)
From: riku.voipio@linaro.org
Date: Thu,  4 Aug 2016 17:15:02 +0300
Message-Id: <ba4b3f668abf1fcde204c8f3185ea6edeec6eaa3.1470319929.git.riku.voipio@linaro.org>
In-Reply-To: <cover.1470319929.git.riku.voipio@linaro.org>
References: <cover.1470319929.git.riku.voipio@linaro.org>
Subject: [Qemu-devel] [PULL 2/5] linux-user: Fix memchr() argument in
 open_self_cmdline()
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: peter.maydell@linaro.org

From: Peter Maydell <peter.maydell@linaro.org>

In open_self_cmdline() we look for a 0 in the buffer we read
from /prc/self/cmdline. We were incorrectly passing the length
of our buf[] array to memchr() as the length to search, rather
than the number of bytes we actually read into it, which could
be shorter. This was spotted by Coverity (because it could
result in our trying to pass a negative length argument to
write()).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
---
 linux-user/syscall.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index ca6a2b4..092ff4e 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -6856,7 +6856,7 @@ static int open_self_cmdline(void *cpu_env, int fd)
         if (!word_skipped) {
             /* Skip the first string, which is the path to qemu-*-static
                instead of the actual command. */
-            cp_buf = memchr(buf, 0, sizeof(buf));
+            cp_buf = memchr(buf, 0, nb_read);
             if (cp_buf) {
                 /* Null byte found, skip one string */
                 cp_buf++;
-- 
2.1.4