On Thu, Sep 19, 2024 at 12:06:11PM -0300, Fabiano Rosas wrote:
> Coverity points out that the current usage of strncpy to write the
> ramblock name allows the field to not have an ending '\0' in case
> idstr is already not null-terminated (e.g. if it's larger than 256
> bytes).
>
> This is currently harmless because the packet->ramblock field is never
> touched again on the source side. The destination side reads only up
> to the field's size from the stream and forces the last byte to be 0.
>
> We're still open to a programming error in the future in case this
> field is ever passed into a function that expects a null-terminated
> string.
>
> Change from strncpy to QEMU's pstrcpy, which puts a '\0' at the end of
> the string and doesn't fill the extra space with zeros.
>
> (there's no spillage between iterations of fill_packet because after
> commit 87bb9e953e ("migration/multifd: Isolate ram pages packet data")
> the packet is always zeroed before filling)
>
> Resolves: Coverity CID 1560071
> Reported-by: Peter Maydell <peter.mayd...@linaro.org>
> Signed-off-by: Fabiano Rosas <faro...@suse.de>
queued.
--
Peter Xu
