On Fri, Mar 29, 2019 at 12:04:45PM +0000, Peter Maydell wrote: > On Fri, 29 Mar 2019 at 11:22, Daniel P. Berrangé <berra...@redhat.com> wrote: > > > > The 'filename' field in ObjectInfo struct is declared as a > > zero length array of uint16_t. Accessing it is equivalent > > to taking the address of the field, and taking the address > > of fields in a packed struct causes unaligned pointer > > warnings: > > > > hw/usb/dev-mtp.c: In function ‘usb_mtp_write_metadata’: > > hw/usb/dev-mtp.c:1712:36: warning: taking address of packed member of > > ‘struct <anonymous>’ may result in an unaligned pointer value > > [-Waddress-of-packed-member] > > 1712 | dataset->filename); > > | ~~~~~~~^~~~~~~~~~ > > This one's come up before -- see > http://patchwork.ozlabs.org/patch/1049654/ > and my comments on it. I think that utf16_to_str() > should take a byte array and use the appropriate > lduw_*_p() function to read from it, and that we > need to think more carefully about endianness and > about the "malicious short buffer" case.
Yeah this code is even more of a disaster than i realized. This filename handling is probably CVE worthy. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|