Re: [PATCH] network: ensure nparams is non-negative

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Apr 17, 2024 at 02:03:38PM +0200, Ján Tomko wrote:
> On a Tuesday in 2024, Daniel P. Berrangé wrote:
> > On Tue, Apr 16, 2024 at 12:58:53PM +0200, Ján Tomko wrote:
> > > On a Tuesday in 2024, Daniel P. Berrangé wrote:
> > > > The typed parameter array must be either 0, or a positive
> > > > number.
> > > >
> > > 
> > > Does this matter?
> > > 
> > > The API documentation says:
> > >  * @nparams: pointer to received number of interface parameter
> > > 
> > > and it looks like we ignore the number as long as params is NULL.
> > 
> > This missing check is something I noticed when fixing the recent
> > CVE about RPC checking nparams. In all other APIs we have such
> > a virCheckNonNegativeArgGoto for '*nparams', this was the only
> > one that was missing.
> > 
> > I believe it is harmless in terms of risk to libvirt/libvirtd,
> > but it might lead to better detection/reporting of bugs in apps.
> > 
> 
> I was thinking someone initializing *nparams to -1 could be a valid use
> according to the documentation (with params = NULL), but if we do it the
> same for all other similar APIs, it's okay.
> 
> However, it seems 'nparams' being NULL is not valid whether it's
> the user or libvirt allocating the array, so please also add:
> 
> virCheckNonNullArgGoto(nparams, error);

Opps yes, all the other APIs have this check, so should have
it here too.

> 
> Reviewed-by: Ján Tomko <jtomko@xxxxxxxxxx>
> 

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
_______________________________________________
Devel mailing list -- devel@xxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxx




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux