On Tue, Jun 11, 2013 at 11:15:15AM +0800, Fam Zheng wrote:
> On Mon, Jun 10, 2013 at 5:21 PM, Stefan Hajnoczi <stefa...@gmail.com> wrote:
> > On Sun, Jun 09, 2013 at 10:34:54AM +0800, Fam Zheng wrote:
> >> @@ -110,14 +111,14 @@ static int curl_sock_cb(CURL *curl, curl_socket_t
> >> fd, int action,
> >> return 0;
> >> }
> >>
> >> -static size_t curl_size_cb(void *ptr, size_t size, size_t nmemb, void
> >> *opaque)
> >> +static size_t curl_header_cb(void *ptr, size_t size, size_t nmemb, void
> >> *opaque)
> >> {
> >> - CURLState *s = ((CURLState*)opaque);
> >> + BDRVCURLState *s = opaque;
> >> size_t realsize = size * nmemb;
> >> - size_t fsize;
> >> + const char *accept_line = "Accept-Ranges: bytes";
> >>
> >> - if(sscanf(ptr, "Content-Length: %zd", &fsize) == 1) {
> >> - s->s->len = fsize;
> >> + if (strncmp((char *)ptr, accept_line, strlen(accept_line)) == 0) {
> >> + s->accept_range = true;
> >> }
> >
> > This still assumes ptr is NUL-terminated. You need to pass size * nmemb
> > instead of strlen(accept_line).
> >
> OK, the case is so corner, only when :
> - realsize < strlen(accept_line) and
> - ptr is the first part of accept_line, without NUL-termination
> strncpm will possibly access no more than (strlen(accept_line) -
> realsize) bytes after ptr buffer.
>
> I'll need to check if realsize >= strlen(accept_line), not passing realsize.
You can just pass size * nmemb because strncmp() does check for NUL in
both strings. Therefore strlen(accept_line) is not needed - you know
accept_line is NUL-terminated.
Stefan
