There was a buffer overflow in teh code to deal with building command line
arguments which was only exposed when the Fedora RPM builds uses the
stack protector args to GCC. The attached patch increases the buffer size
and uses snprintf() instead of sprintf().
BTW, if anyone is looking for a patch to write - removing all other calls
to sprintf() would be a worthy task :-)
Regards,
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|
Index: qemud/conf.c
===================================================================
RCS file: /data/cvs/libvirt/qemud/conf.c,v
retrieving revision 1.43
diff -u -p -r1.43 conf.c
--- qemud/conf.c 16 Mar 2007 15:03:21 -0000 1.43
+++ qemud/conf.c 20 Mar 2007 16:23:54 -0000
@@ -1301,13 +1301,14 @@ int qemudBuildCommandLine(struct qemud_s
} else {
int vlan = 0;
while (net) {
- char nic[3+1+7+1+17+1];
+ char nic[100];
- sprintf(nic, "nic,macaddr=%02x:%02x:%02x:%02x:%02x:%02x,vlan=%d",
- net->mac[0], net->mac[1],
- net->mac[2], net->mac[3],
- net->mac[4], net->mac[5],
- vlan);
+ if (snprintf(nic, sizeof(nic), "nic,macaddr=%02x:%02x:%02x:%02x:%02x:%02x,vlan=%d",
+ net->mac[0], net->mac[1],
+ net->mac[2], net->mac[3],
+ net->mac[4], net->mac[5],
+ vlan) >= sizeof(nic))
+ goto error;
if (!((*argv)[++n] = strdup("-net")))
goto no_memory;