[PATCH] properly check buffer size in virDomainXMLDevID

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



As promised, a patch to protect the 80-character "device id" buffer from overflow by the unbounded "device=" XML attribute. Before, a large "device" attribute gave a stack overflow error; now it merely results in an obscure (but non-fatal) xend error like so:


libvir: Xen Daemon error : POST operation failed: (xend.err "invalid literal for int() with base 10: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'")

(the long string of "x"es was my way of overflowing the buffer).

Please ACK...

--Hugh

--
Red Hat Virtualization Group http://redhat.com/virtualization
Hugh Brock           | virt-manager http://virt-manager.org
hbrock@xxxxxxxxxx    | virtualization library http://libvirt.org
diff -ruN libvirt.orig/src/xend_internal.c libvirt/src/xend_internal.c
--- libvirt.orig/src/xend_internal.c	2007-09-11 09:11:25.000000000 -0400
+++ libvirt/src/xend_internal.c	2007-09-11 09:07:58.000000000 -0400
@@ -3117,7 +3117,7 @@
         *(conf + strlen(conf) -1) = 0; /* suppress final ) */
     }
     else conf = sexpr;
-    if (virDomainXMLDevID(domain, xml, class, ref)) {
+    if (virDomainXMLDevID(domain, xml, class, ref, sizeof(ref))) {
         /* device doesn't exist, define it */
         ret = xend_op(domain->conn, domain->name, "op", "device_create",
                       "config", conf, NULL);
@@ -3150,7 +3150,7 @@
 	             __FUNCTION__);
         return (-1);
     }
-    if (virDomainXMLDevID(domain, xml, class, ref))
+    if (virDomainXMLDevID(domain, xml, class, ref, sizeof(ref)))
         return (-1);
     return(xend_op(domain->conn, domain->name, "op", "device_destroy",
         "type", class, "dev", ref, NULL));

diff -ruN libvirt.orig/src/xml.c libvirt/src/xml.c
--- libvirt.orig/src/xml.c	2007-09-06 11:21:20.000000000 -0400
+++ libvirt/src/xml.c	2007-09-11 08:58:46.000000000 -0400
@@ -1385,7 +1385,7 @@
  * Returns 0 in case of success, -1 in case of failure.
  */
 int
-virDomainXMLDevID(virDomainPtr domain, char *xmldesc, char *class, char *ref)
+virDomainXMLDevID(virDomainPtr domain, char *xmldesc, char *class, char *ref, int ref_len)
 {
     xmlDocPtr xml = NULL;
     xmlNodePtr node, cur;
@@ -1413,7 +1413,8 @@
             attr = xmlGetProp(cur, BAD_CAST "dev");
             if (attr == NULL)
                 goto error;
-            strcpy(ref, (char *)attr);
+            strncpy(ref, (char *)attr, ref_len);
+               ref[ref_len -1] = '\0';
             goto cleanup;
         }
     }
@@ -1430,8 +1431,9 @@
             xref = xenStoreDomainGetNetworkID(domain->conn, domain->id,
                                               (char *) attr);
             if (xref != NULL) {
-                strcpy(ref, xref);
+                strncpy(ref, xref, ref_len);
                 free(xref);
+                ref[ref_len - 1] = '\0';
                 goto cleanup;
             }
 #else /* without xen */
diff -ruN libvirt.orig/src/xml.h libvirt/src/xml.h
--- libvirt.orig/src/xml.h	2007-08-16 11:19:32.000000000 -0400
+++ libvirt/src/xml.h	2007-09-06 14:58:50.000000000 -0400
@@ -33,7 +33,7 @@
 
 char *virDomainParseXMLDesc(virConnectPtr conn, const char *xmldesc, char **name, int xendConfigVersion);
 char *virParseXMLDevice(virConnectPtr conn, char *xmldesc, int hvm, int xendConfigVersion);
-int virDomainXMLDevID(virDomainPtr domain, char *xmldesc, char *class, char *ref);
+  int virDomainXMLDevID(virDomainPtr domain, char *xmldesc, char *class, char *ref, int ref_len);
 
 #ifdef __cplusplus
 }
--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]