At 07/19/2011 04:44 AM, Adam Litke Write:
>
>
> On 07/18/2011 04:42 AM, Wen Congyang wrote:
>> @@ -5983,7 +6169,30 @@ out:
>> goto cleanup;
>> }
>>
>> - *nparams = 1;
>> + if (*nparams > 1) {
>> + params[1].value.ul = period;
>> + params[1].type = VIR_TYPED_PARAM_ULLONG;
>> + if (virStrcpyStatic(params[1].field, "cfs_period") == NULL) {
>> + qemuReportError(VIR_ERR_INTERNAL_ERROR,
>> + "%s",
>> + _("Field cfs_period too long for destination"));
>> + goto cleanup;
>> + }
>> +
>> + params[2].value.ul = quota;
>
> Possible buffer overflow if *nparams == 2 ...
Yes, I forgot check the value :(
>
>> + params[2].type = VIR_TYPED_PARAM_LLONG;
>> + if (virStrcpyStatic(params[2].field, "cfs_quota") == NULL) {
>> + qemuReportError(VIR_ERR_INTERNAL_ERROR,
>> + "%s",
>> + _("Field cfs_quota too long for destination"));
>> + goto cleanup;
>> + }
>> +
>> + *nparams = 3;
>> + } else {
>> + *nparams = 1;
>> + }
>> +
>> ret = 0;
>>
>> cleanup:
>
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list