[libvirt PATCH 14/19] commandhelper: Make number of fds variable in printInput

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Fixes a buffer overflow triggered when more than three "--readfd"
arguments were given on the command line.

Signed-off-by: Tim Wiederhake <twiederh@xxxxxxxxxx>
---
 tests/commandhelper.c | 25 ++++++++++++++++++++-----
 1 file changed, 20 insertions(+), 5 deletions(-)

diff --git a/tests/commandhelper.c b/tests/commandhelper.c
index d501e33e88..72a3e89da1 100644
--- a/tests/commandhelper.c
+++ b/tests/commandhelper.c
@@ -194,13 +194,22 @@ static int printCwd(FILE *log)
 static int printInput(struct Arguments *args)
 {
     char buf[1024];
-    struct pollfd fds[3];
-    char *buffers[3] = {NULL, NULL, NULL};
-    size_t buflen[3] = {0, 0, 0};
+    struct pollfd *fds = NULL;
+    char **buffers = NULL;
+    size_t *buflen = NULL;
     int ret = -1;
     size_t i;
     ssize_t got;
 
+    if (!(fds = calloc(args->numreadfds, sizeof(*fds))))
+        goto cleanup;
+
+    if (!(buffers = calloc(args->numreadfds, sizeof(*buffers))))
+        goto cleanup;
+
+    if (!(buflen = calloc(args->numreadfds, sizeof(*buflen))))
+        goto cleanup;
+
     if (args->close_stdin) {
         if (freopen("/dev/null", "r", stdin) != stdin)
             goto cleanup;
@@ -282,8 +291,14 @@ static int printInput(struct Arguments *args)
     ret = 0;
 
  cleanup:
-    for (i = 0; i < G_N_ELEMENTS(buffers); i++)
-        free(buffers[i]);
+    if (buffers) {
+        for (i = 0; i < args->numreadfds; i++)
+            free(buffers[i]);
+    }
+    free(fds);
+    free(buflen);
+    free(buffers);
+
     return ret;
 }
 
-- 
2.26.2




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux