Acked-by: Jonathon Jongsma <jjongsma@xxxxxxxxxx>
Out of curiosity, how did you find it? Just reading code?
On Thu, 2017-02-02 at 12:46 +0000, Frediano Ziglio wrote:
> The stat file contains an array of max_nodes elements
> so we must stay in [0, max_nodes) range, not [0, max_nodes].
>
> There are no spice path that lead to these overflows but
> it's better to have them fixed before creating one.
>
> Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
> ---
> server/stat-file.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/server/stat-file.c b/server/stat-file.c
> index c23f4f5..3fe3890 100644
> --- a/server/stat-file.c
> +++ b/server/stat-file.c
> @@ -168,7 +168,7 @@ stat_file_add_node(RedStatFile *stat_file,
> StatNodeRef parent, const char *name,
> }
> stat_file->stat->generation++;
> stat_file->stat->num_of_nodes++;
> - for (ref = 0; ref <= stat_file->max_nodes; ref++) {
> + for (ref = 0; ref < stat_file->max_nodes; ref++) {
> node = &stat_file->stat->nodes[ref];
> if (!(node->flags & SPICE_STAT_NODE_FLAG_ENABLED)) {
> break;
> @@ -211,7 +211,7 @@ static void stat_file_remove(RedStatFile
> *stat_file, SpiceStatNode *node)
> /* children will be orphans */
> if (stat_file->stat->root_index == node_ref) {
> stat_file->stat->root_index = node_next;
> - } else for (ref = 0; ref <= stat_file->max_nodes; ref++) {
> + } else for (ref = 0; ref < stat_file->max_nodes; ref++) {
> node = &stat_file->stat->nodes[ref];
> if (!(node->flags & SPICE_STAT_NODE_FLAG_ENABLED)) {
> continue;
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel