[libvirt] [PATCH] Fix latent buffer overflow in qemudOpenMonitorUnix.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Fix a possible latent bug in qemudOpenMonitorUnix().  If the pathname
to the monitor is very long (i.e. >= UNIX_MAX_PATH), then strncpy will
*not* place a final \0 on the string (see "man strncpy").
NULL terminate the buffer to ensure we don't run off the end.

Signed-off-by: Chris Lalancette <clalance@xxxxxxxxxx>
---
 src/qemu_driver.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/src/qemu_driver.c b/src/qemu_driver.c
index 9fcc07a..4f173b7 100644
--- a/src/qemu_driver.c
+++ b/src/qemu_driver.c
@@ -910,6 +910,7 @@ qemudOpenMonitorUnix(virConnectPtr conn,
     memset(&addr, 0, sizeof(addr));
     addr.sun_family = AF_UNIX;
     strncpy(addr.sun_path, monitor, sizeof(addr.sun_path));
+    NUL_TERMINATE(addr.sun_path);
 
     do {
         ret = connect(monfd, (struct sockaddr *) &addr, sizeof(addr));
-- 
1.6.0.6

--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]