From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: Re: [PATCH v2 1/2] libxc: Don't write terminating NULL
 character to command string
Date: Tue, 5 Jan 2016 23:01:50 +0000
Message-ID: <568C4B5E.7080900@citrix.com>
References: <1452032770-5642-1-git-send-email-boris.ostrovsky@oracle.com>
	<1452032770-5642-2-git-send-email-boris.ostrovsky@oracle.com>
	<568C46B8.6020204@citrix.com> <568C4AE8.1050302@oracle.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <568C4AE8.1050302@oracle.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Boris Ostrovsky <boris.ostrovsky@oracle.com>, ian.jackson@eu.citrix.com, stefano.stabellini@eu.citrix.com, ian.campbell@citrix.com, wei.liu2@citrix.com
Cc: jgross@suse.com, xen-devel@lists.xen.org, roger.pau@citrix.com
List-Id: xen-devel@lists.xenproject.org

On 05/01/2016 22:59, Boris Ostrovsky wrote:
> On 01/05/2016 05:42 PM, Andrew Cooper wrote:
>> On 05/01/2016 22:26, Boris Ostrovsky wrote:
>>> When copying boot command string for HVMlite guests we explicitly write
>>> '\0' at MAX_GUEST_CMDLINE offset. Unless the string is close to
>>> MAX_GUEST_CMDLINE in length this write will end up in the wrong place,
>>> beyond the end of the mapped range.
>>>
>>> Instead we should test string's length early and error out if it is too
>>> long.
>>>
>>> Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
>> MAX_GUEST_CMDLINE is an arbitrary and incorrect restriction.  It is
>> sadly baked into the PV ABI, but I specifically want to avoid lumbering
>> DMLite with the failings of PV.
>>
>> By the looks of it, the only bug is the use of MAX_GUEST_CMDLINE.  The
>> xc_map_foreign_range() call already accounts for sufficient space to
>> store the string when mapping guest memory.
>
> Yes, I was also thinking about dropping it but ended up keeping it
> mostly because it didn't feel right to blindly use strcpy().

Possibly add a comment explaining that the length has already been
checked, and that sufficient space has been allocated, if that helps? 
One way or another, the use of strcpy() here is correct.

~Andrew