On Thu, Mar 23, 2017 at 12:23:28PM +0100, Markus Armbruster wrote: > We first snprintf() to a fixed buffer, then g_strdup() the result > *boggle*. > > Worse, the size of the fixed buffer INET6_ADDRSTRLEN + 5 + 4 is bogus: > the 4 correctly accounts for '[', ']', ':' and '\0', but > INET6_ADDRSTRLEN is not a suitable limit for inet->host, and 5 is not > one for inet->port! They are for host and port in *numeric* form > (exploiting that INET6_ADDRSTRLEN > INET_ADDRSTRLEN), but inet->host > can also be a hostname, and inet->port can be a service name, to be > resolved with getaddrinfo(). > > Fortunately, the only user so far is the "socket" network backend's > net_socket_connected(), which uses it to initialize a NetSocketState's > info_str[]. info_str[] has considerable more space: 256 instead of > 55. So the bug's impact appears to be limited to truncated "info > networks" with the "socket" network backend. > > The fix is obvious: use g_strdup_printf(). > > Signed-off-by: Markus Armbruster <arm...@redhat.com> > --- > util/qemu-sockets.c | 9 ++------- > 1 file changed, 2 insertions(+), 7 deletions(-)
Reviewed-by: Daniel P. Berrange <berra...@redhat.com> Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|
