Re: [PATCH] rpc: Correct the wrong payload size checking

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Oct 14, 2013 at 03:22:27PM +0800, Osier Yang wrote:
> <...>
> /* Size of message length field. Not counted in VIR_NET_MESSAGE_MAX
>  * and VIR_NET_MESSAGE_INITIAL.
>  */
> const VIR_NET_MESSAGE_LEN_MAX = 4;
> </...>
> 
> However, msg->bufferLength includes the length word. The wrong checking
> was introduced by commit e914dcfd.
> 
> * src/rpc/virnetmessage.c:
>   - Correct the checking in virNetMessageEncodePayloadRaw
>   - Use a new variable to track the new payload length in
>     virNetMessageEncodePayloadRaw
> ---
>  src/rpc/virnetmessage.c | 19 +++++++++++++------
>  1 file changed, 13 insertions(+), 6 deletions(-)
> 
> diff --git a/src/rpc/virnetmessage.c b/src/rpc/virnetmessage.c
> index 8f4e4bc..4c60424 100644
> --- a/src/rpc/virnetmessage.c
> +++ b/src/rpc/virnetmessage.c
> @@ -346,15 +346,17 @@ int virNetMessageEncodePayload(virNetMessagePtr msg,
>  
>      /* Try to encode the payload. If the buffer is too small increase it. */
>      while (!(*filter)(&xdr, data)) {
> -        if ((msg->bufferLength - VIR_NET_MESSAGE_LEN_MAX) * 4 > VIR_NET_MESSAGE_MAX) {
> +        unsigned int newlen = (msg->bufferLength - VIR_NET_MESSAGE_LEN_MAX) * 4 +
> +            VIR_NET_MESSAGE_LEN_MAX;
> +
> +        if (newlen > VIR_NET_MESSAGE_MAX + VIR_NET_MESSAGE_LEN_MAX) {

You've not actually changed the logic here at all - you've just
added VIR_NET_MESSAGE_LEN_MAX to both sides of the '>'. So this
change is a no-op. Please drop it.


>              virReportError(VIR_ERR_RPC, "%s", _("Unable to encode message payload"));
>              goto error;
>          }
>  
>          xdr_destroy(&xdr);
>  
> -        msg->bufferLength = (msg->bufferLength - VIR_NET_MESSAGE_LEN_MAX) * 4 +
> -            VIR_NET_MESSAGE_LEN_MAX;
> +        msg->bufferLength = newlen;

Again, nothing changed. Drop this.

>  
>          if (VIR_REALLOC_N(msg->buffer, msg->bufferLength) < 0)
>              goto error;
> @@ -426,10 +428,15 @@ int virNetMessageEncodePayloadRaw(virNetMessagePtr msg,
>  
>      /* If the message buffer is too small for the payload increase it accordingly. */
>      if ((msg->bufferLength - msg->bufferOffset) < len) {
> -        if ((msg->bufferOffset + len) > VIR_NET_MESSAGE_MAX) {
> +        if ((msg->bufferOffset + len) >
> +            VIR_NET_MESSAGE_MAX + VIR_NET_MESSAGE_LEN_MAX) {

Bracket both sides of the '>' for clarity, not just the left-hand-side.

>              virReportError(VIR_ERR_RPC,
> -                           _("Stream data too long to send (%zu bytes needed, %zu bytes available)"),
> -                           len, (VIR_NET_MESSAGE_MAX - msg->bufferOffset));
> +                           _("Stream data too long to send "
> +                             "(%zu bytes needed, %zu bytes available)"),
> +                           len,
> +                           VIR_NET_MESSAGE_MAX +
> +                           VIR_NET_MESSAGE_LEN_MAX -
> +                           msg->bufferOffset);
>              return -1;


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]