* [Qemu-devel] [PATCH] hw/9pfs/virtio-9p-proxy: Fix possible overflow
@ 2015-03-13 11:09 Shannon Zhao
2015-03-13 12:50 ` Paolo Bonzini
2015-03-16 7:58 ` Aneesh Kumar K.V
0 siblings, 2 replies; 5+ messages in thread
From: Shannon Zhao @ 2015-03-13 11:09 UTC (permalink / raw)
To: qemu-devel
Cc: peter.maydell, hangaohuai, qemu-trivial, mjt, peter.huangpeng,
aneesh.kumar, pbonzini, shannon.zhao
It's detected by coverity. As max of sockaddr_un.sun_path is
sizeof(helper.sun_path), should check the length of source
and use strncpy instead of strcpy.
Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com>
Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org>
---
hw/9pfs/virtio-9p-proxy.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/hw/9pfs/virtio-9p-proxy.c b/hw/9pfs/virtio-9p-proxy.c
index 59c7445..fb1ab7b 100644
--- a/hw/9pfs/virtio-9p-proxy.c
+++ b/hw/9pfs/virtio-9p-proxy.c
@@ -1102,12 +1102,13 @@ static int connect_namedsocket(const char *path)
int sockfd, size;
struct sockaddr_un helper;
+ g_assert(strlen(path) < sizeof(helper.sun_path));
sockfd = socket(AF_UNIX, SOCK_STREAM, 0);
if (sockfd < 0) {
fprintf(stderr, "failed to create socket: %s\n", strerror(errno));
return -1;
}
- strcpy(helper.sun_path, path);
+ strncpy(helper.sun_path, path, sizeof(helper.sun_path));
helper.sun_family = AF_UNIX;
size = strlen(helper.sun_path) + sizeof(helper.sun_family);
if (connect(sockfd, (struct sockaddr *)&helper, size) < 0) {
--
1.8.3.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH] hw/9pfs/virtio-9p-proxy: Fix possible overflow
2015-03-13 11:09 [Qemu-devel] [PATCH] hw/9pfs/virtio-9p-proxy: Fix possible overflow Shannon Zhao
@ 2015-03-13 12:50 ` Paolo Bonzini
2015-03-14 1:19 ` Shannon Zhao
2015-03-16 7:58 ` Aneesh Kumar K.V
1 sibling, 1 reply; 5+ messages in thread
From: Paolo Bonzini @ 2015-03-13 12:50 UTC (permalink / raw)
To: Shannon Zhao, qemu-devel
Cc: peter.maydell, hangaohuai, qemu-trivial, mjt, peter.huangpeng,
aneesh.kumar, shannon.zhao
On 13/03/2015 12:09, Shannon Zhao wrote:
> + g_assert(strlen(path) < sizeof(helper.sun_path));
Ok.
> sockfd = socket(AF_UNIX, SOCK_STREAM, 0);
> if (sockfd < 0) {
> fprintf(stderr, "failed to create socket: %s\n", strerror(errno));
> return -1;
> }
> - strcpy(helper.sun_path, path);
> + strncpy(helper.sun_path, path, sizeof(helper.sun_path));
strcpy is okay here. strncpy makes people think of what happens if
strlen(path) == sizeof(helper.sun_path). While this cannot happen here
because of the assertion, the function should still be used with care.
Paolo
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH] hw/9pfs/virtio-9p-proxy: Fix possible overflow
2015-03-13 12:50 ` Paolo Bonzini
@ 2015-03-14 1:19 ` Shannon Zhao
0 siblings, 0 replies; 5+ messages in thread
From: Shannon Zhao @ 2015-03-14 1:19 UTC (permalink / raw)
To: Paolo Bonzini, qemu-devel
Cc: peter.maydell, hangaohuai, qemu-trivial, mjt, peter.huangpeng,
aneesh.kumar, shannon.zhao
On 2015/3/13 20:50, Paolo Bonzini wrote:
>
>
> On 13/03/2015 12:09, Shannon Zhao wrote:
>> + g_assert(strlen(path) < sizeof(helper.sun_path));
>
> Ok.
>
>> sockfd = socket(AF_UNIX, SOCK_STREAM, 0);
>> if (sockfd < 0) {
>> fprintf(stderr, "failed to create socket: %s\n", strerror(errno));
>> return -1;
>> }
>> - strcpy(helper.sun_path, path);
>> + strncpy(helper.sun_path, path, sizeof(helper.sun_path));
>
> strcpy is okay here. strncpy makes people think of what happens if
> strlen(path) == sizeof(helper.sun_path). While this cannot happen here
> because of the assertion, the function should still be used with care.
>
Thanks, will fix along with the other patch.
--
Thanks,
Shannon
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH] hw/9pfs/virtio-9p-proxy: Fix possible overflow
2015-03-13 11:09 [Qemu-devel] [PATCH] hw/9pfs/virtio-9p-proxy: Fix possible overflow Shannon Zhao
2015-03-13 12:50 ` Paolo Bonzini
@ 2015-03-16 7:58 ` Aneesh Kumar K.V
2015-03-16 9:30 ` Shannon Zhao
1 sibling, 1 reply; 5+ messages in thread
From: Aneesh Kumar K.V @ 2015-03-16 7:58 UTC (permalink / raw)
To: Shannon Zhao, qemu-devel
Cc: peter.maydell, hangaohuai, qemu-trivial, mjt, peter.huangpeng,
shannon.zhao, pbonzini
Shannon Zhao <zhaoshenglong@huawei.com> writes:
> It's detected by coverity. As max of sockaddr_un.sun_path is
> sizeof(helper.sun_path), should check the length of source
> and use strncpy instead of strcpy.
>
> Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com>
> Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org>
> ---
> hw/9pfs/virtio-9p-proxy.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/hw/9pfs/virtio-9p-proxy.c b/hw/9pfs/virtio-9p-proxy.c
> index 59c7445..fb1ab7b 100644
> --- a/hw/9pfs/virtio-9p-proxy.c
> +++ b/hw/9pfs/virtio-9p-proxy.c
> @@ -1102,12 +1102,13 @@ static int connect_namedsocket(const char *path)
> int sockfd, size;
> struct sockaddr_un helper;
>
> + g_assert(strlen(path) < sizeof(helper.sun_path));
Since we are doing this from within Qemu, I did the below and folded
that into other sockadd_un.sun_path size checking patch.
diff --git a/hw/9pfs/virtio-9p-proxy.c b/hw/9pfs/virtio-9p-proxy.c
index 6bb191ee6ab8..71b6198bbd22 100644
--- a/hw/9pfs/virtio-9p-proxy.c
+++ b/hw/9pfs/virtio-9p-proxy.c
@@ -1100,6 +1100,10 @@ static int connect_namedsocket(const char *path)
int sockfd, size;
struct sockaddr_un helper;
+ if (strlen(path) >= sizeof(helper.sun_path)) {
+ fprintf(stderr, "Socket name too large\n");
+ return -1;
+ }
sockfd = socket(AF_UNIX, SOCK_STREAM, 0);
if (sockfd < 0) {
fprintf(stderr, "failed to create socket: %s\n", strerror(errno));
Let me know if that is ok for you.
> sockfd = socket(AF_UNIX, SOCK_STREAM, 0);
> if (sockfd < 0) {
> fprintf(stderr, "failed to create socket: %s\n", strerror(errno));
> return -1;
> }
> - strcpy(helper.sun_path, path);
> + strncpy(helper.sun_path, path, sizeof(helper.sun_path));
> helper.sun_family = AF_UNIX;
> size = strlen(helper.sun_path) + sizeof(helper.sun_family);
> if (connect(sockfd, (struct sockaddr *)&helper, size) < 0) {
> --
> 1.8.3.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH] hw/9pfs/virtio-9p-proxy: Fix possible overflow
2015-03-16 7:58 ` Aneesh Kumar K.V
@ 2015-03-16 9:30 ` Shannon Zhao
0 siblings, 0 replies; 5+ messages in thread
From: Shannon Zhao @ 2015-03-16 9:30 UTC (permalink / raw)
To: Aneesh Kumar K.V, qemu-devel
Cc: peter.maydell, hangaohuai, qemu-trivial, mjt, peter.huangpeng,
shannon.zhao, pbonzini
On 2015/3/16 15:58, Aneesh Kumar K.V wrote:
> Shannon Zhao <zhaoshenglong@huawei.com> writes:
>
>> It's detected by coverity. As max of sockaddr_un.sun_path is
>> sizeof(helper.sun_path), should check the length of source
>> and use strncpy instead of strcpy.
>>
>> Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com>
>> Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org>
>> ---
>> hw/9pfs/virtio-9p-proxy.c | 3 ++-
>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/hw/9pfs/virtio-9p-proxy.c b/hw/9pfs/virtio-9p-proxy.c
>> index 59c7445..fb1ab7b 100644
>> --- a/hw/9pfs/virtio-9p-proxy.c
>> +++ b/hw/9pfs/virtio-9p-proxy.c
>> @@ -1102,12 +1102,13 @@ static int connect_namedsocket(const char *path)
>> int sockfd, size;
>> struct sockaddr_un helper;
>>
>> + g_assert(strlen(path) < sizeof(helper.sun_path));
>
> Since we are doing this from within Qemu, I did the below and folded
> that into other sockadd_un.sun_path size checking patch.
>
> diff --git a/hw/9pfs/virtio-9p-proxy.c b/hw/9pfs/virtio-9p-proxy.c
> index 6bb191ee6ab8..71b6198bbd22 100644
> --- a/hw/9pfs/virtio-9p-proxy.c
> +++ b/hw/9pfs/virtio-9p-proxy.c
> @@ -1100,6 +1100,10 @@ static int connect_namedsocket(const char *path)
> int sockfd, size;
> struct sockaddr_un helper;
>
> + if (strlen(path) >= sizeof(helper.sun_path)) {
> + fprintf(stderr, "Socket name too large\n");
> + return -1;
> + }
> sockfd = socket(AF_UNIX, SOCK_STREAM, 0);
> if (sockfd < 0) {
> fprintf(stderr, "failed to create socket: %s\n", strerror(errno));
>
>
> Let me know if that is ok for you.
>
That's OK. :-)
--
Thanks,
Shannon
>> sockfd = socket(AF_UNIX, SOCK_STREAM, 0);
>> if (sockfd < 0) {
>> fprintf(stderr, "failed to create socket: %s\n", strerror(errno));
>> return -1;
>> }
>> - strcpy(helper.sun_path, path);
>> + strncpy(helper.sun_path, path, sizeof(helper.sun_path));
>> helper.sun_family = AF_UNIX;
>> size = strlen(helper.sun_path) + sizeof(helper.sun_family);
>> if (connect(sockfd, (struct sockaddr *)&helper, size) < 0) {
>> --
>> 1.8.3.1
>
>
> .
>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-03-16 9:36 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-03-13 11:09 [Qemu-devel] [PATCH] hw/9pfs/virtio-9p-proxy: Fix possible overflow Shannon Zhao
2015-03-13 12:50 ` Paolo Bonzini
2015-03-14 1:19 ` Shannon Zhao
2015-03-16 7:58 ` Aneesh Kumar K.V
2015-03-16 9:30 ` Shannon Zhao
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.