[Qemu-devel] [PATCH] hw/9pfs/virtio-9p-proxy: Fix possible overflow

All of lore.kernel.org
 help / color / mirror / Atom feed

* [Qemu-devel] [PATCH] hw/9pfs/virtio-9p-proxy: Fix possible overflow
@ 2015-03-13 11:09 Shannon Zhao
  2015-03-13 12:50 ` Paolo Bonzini
  2015-03-16  7:58 ` Aneesh Kumar K.V
  0 siblings, 2 replies; 5+ messages in thread
From: Shannon Zhao @ 2015-03-13 11:09 UTC (permalink / raw)
  To: qemu-devel
  Cc: peter.maydell, hangaohuai, qemu-trivial, mjt, peter.huangpeng,
	aneesh.kumar, pbonzini, shannon.zhao

It's detected by coverity. As max of sockaddr_un.sun_path is
sizeof(helper.sun_path), should check the length of source
and use strncpy instead of strcpy.

Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com>
Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org>
---
 hw/9pfs/virtio-9p-proxy.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/9pfs/virtio-9p-proxy.c b/hw/9pfs/virtio-9p-proxy.c
index 59c7445..fb1ab7b 100644
--- a/hw/9pfs/virtio-9p-proxy.c
+++ b/hw/9pfs/virtio-9p-proxy.c
@@ -1102,12 +1102,13 @@ static int connect_namedsocket(const char *path)
     int sockfd, size;
     struct sockaddr_un helper;
 
+    g_assert(strlen(path) < sizeof(helper.sun_path));
     sockfd = socket(AF_UNIX, SOCK_STREAM, 0);
     if (sockfd < 0) {
         fprintf(stderr, "failed to create socket: %s\n", strerror(errno));
         return -1;
     }
-    strcpy(helper.sun_path, path);
+    strncpy(helper.sun_path, path, sizeof(helper.sun_path));
     helper.sun_family = AF_UNIX;
     size = strlen(helper.sun_path) + sizeof(helper.sun_family);
     if (connect(sockfd, (struct sockaddr *)&helper, size) < 0) {
-- 
1.8.3.1

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [Qemu-devel] [PATCH] hw/9pfs/virtio-9p-proxy: Fix possible overflow
  2015-03-13 11:09 [Qemu-devel] [PATCH] hw/9pfs/virtio-9p-proxy: Fix possible overflow Shannon Zhao
@ 2015-03-13 12:50 ` Paolo Bonzini
  2015-03-14  1:19   ` Shannon Zhao
  2015-03-16  7:58 ` Aneesh Kumar K.V
  1 sibling, 1 reply; 5+ messages in thread
From: Paolo Bonzini @ 2015-03-13 12:50 UTC (permalink / raw)
  To: Shannon Zhao, qemu-devel
  Cc: peter.maydell, hangaohuai, qemu-trivial, mjt, peter.huangpeng,
	aneesh.kumar, shannon.zhao



On 13/03/2015 12:09, Shannon Zhao wrote:
> +    g_assert(strlen(path) < sizeof(helper.sun_path));

Ok.

>      sockfd = socket(AF_UNIX, SOCK_STREAM, 0);
>      if (sockfd < 0) {
>          fprintf(stderr, "failed to create socket: %s\n", strerror(errno));
>          return -1;
>      }
> -    strcpy(helper.sun_path, path);
> +    strncpy(helper.sun_path, path, sizeof(helper.sun_path));

strcpy is okay here.  strncpy makes people think of what happens if
strlen(path) == sizeof(helper.sun_path).  While this cannot happen here
because of the assertion, the function should still be used with care.

Paolo

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [Qemu-devel] [PATCH] hw/9pfs/virtio-9p-proxy: Fix possible overflow
  2015-03-13 12:50 ` Paolo Bonzini
@ 2015-03-14  1:19   ` Shannon Zhao
  0 siblings, 0 replies; 5+ messages in thread
From: Shannon Zhao @ 2015-03-14  1:19 UTC (permalink / raw)
  To: Paolo Bonzini, qemu-devel
  Cc: peter.maydell, hangaohuai, qemu-trivial, mjt, peter.huangpeng,
	aneesh.kumar, shannon.zhao

On 2015/3/13 20:50, Paolo Bonzini wrote:
> 
> 
> On 13/03/2015 12:09, Shannon Zhao wrote:
>> +    g_assert(strlen(path) < sizeof(helper.sun_path));
> 
> Ok.
> 
>>      sockfd = socket(AF_UNIX, SOCK_STREAM, 0);
>>      if (sockfd < 0) {
>>          fprintf(stderr, "failed to create socket: %s\n", strerror(errno));
>>          return -1;
>>      }
>> -    strcpy(helper.sun_path, path);
>> +    strncpy(helper.sun_path, path, sizeof(helper.sun_path));
> 
> strcpy is okay here.  strncpy makes people think of what happens if
> strlen(path) == sizeof(helper.sun_path).  While this cannot happen here
> because of the assertion, the function should still be used with care.
> 

Thanks, will fix along with the other patch.

-- 
Thanks,
Shannon

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [Qemu-devel] [PATCH] hw/9pfs/virtio-9p-proxy: Fix possible overflow
  2015-03-13 11:09 [Qemu-devel] [PATCH] hw/9pfs/virtio-9p-proxy: Fix possible overflow Shannon Zhao
  2015-03-13 12:50 ` Paolo Bonzini
@ 2015-03-16  7:58 ` Aneesh Kumar K.V
  2015-03-16  9:30   ` Shannon Zhao
  1 sibling, 1 reply; 5+ messages in thread
From: Aneesh Kumar K.V @ 2015-03-16  7:58 UTC (permalink / raw)
  To: Shannon Zhao, qemu-devel
  Cc: peter.maydell, hangaohuai, qemu-trivial, mjt, peter.huangpeng,
	shannon.zhao, pbonzini

Shannon Zhao <zhaoshenglong@huawei.com> writes:

> It's detected by coverity. As max of sockaddr_un.sun_path is
> sizeof(helper.sun_path), should check the length of source
> and use strncpy instead of strcpy.
>
> Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com>
> Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org>
> ---
>  hw/9pfs/virtio-9p-proxy.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/hw/9pfs/virtio-9p-proxy.c b/hw/9pfs/virtio-9p-proxy.c
> index 59c7445..fb1ab7b 100644
> --- a/hw/9pfs/virtio-9p-proxy.c
> +++ b/hw/9pfs/virtio-9p-proxy.c
> @@ -1102,12 +1102,13 @@ static int connect_namedsocket(const char *path)
>      int sockfd, size;
>      struct sockaddr_un helper;
>  
> +    g_assert(strlen(path) < sizeof(helper.sun_path));

Since we are doing this from within Qemu, I did the below and folded
that into other sockadd_un.sun_path size checking patch.

diff --git a/hw/9pfs/virtio-9p-proxy.c b/hw/9pfs/virtio-9p-proxy.c
index 6bb191ee6ab8..71b6198bbd22 100644
--- a/hw/9pfs/virtio-9p-proxy.c
+++ b/hw/9pfs/virtio-9p-proxy.c
@@ -1100,6 +1100,10 @@ static int connect_namedsocket(const char *path)
     int sockfd, size;
     struct sockaddr_un helper;
 
+    if (strlen(path) >= sizeof(helper.sun_path)) {
+        fprintf(stderr, "Socket name too large\n");
+        return -1;
+    }
     sockfd = socket(AF_UNIX, SOCK_STREAM, 0);
     if (sockfd < 0) {
         fprintf(stderr, "failed to create socket: %s\n", strerror(errno));


Let me know if that is ok for you.
         
>      sockfd = socket(AF_UNIX, SOCK_STREAM, 0);
>      if (sockfd < 0) {
>          fprintf(stderr, "failed to create socket: %s\n", strerror(errno));
>          return -1;
>      }
> -    strcpy(helper.sun_path, path);
> +    strncpy(helper.sun_path, path, sizeof(helper.sun_path));
>      helper.sun_family = AF_UNIX;
>      size = strlen(helper.sun_path) + sizeof(helper.sun_family);
>      if (connect(sockfd, (struct sockaddr *)&helper, size) < 0) {
> -- 
> 1.8.3.1

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [Qemu-devel] [PATCH] hw/9pfs/virtio-9p-proxy: Fix possible overflow
  2015-03-16  7:58 ` Aneesh Kumar K.V
@ 2015-03-16  9:30   ` Shannon Zhao
  0 siblings, 0 replies; 5+ messages in thread
From: Shannon Zhao @ 2015-03-16  9:30 UTC (permalink / raw)
  To: Aneesh Kumar K.V, qemu-devel
  Cc: peter.maydell, hangaohuai, qemu-trivial, mjt, peter.huangpeng,
	shannon.zhao, pbonzini

On 2015/3/16 15:58, Aneesh Kumar K.V wrote:
> Shannon Zhao <zhaoshenglong@huawei.com> writes:
> 
>> It's detected by coverity. As max of sockaddr_un.sun_path is
>> sizeof(helper.sun_path), should check the length of source
>> and use strncpy instead of strcpy.
>>
>> Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com>
>> Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org>
>> ---
>>  hw/9pfs/virtio-9p-proxy.c | 3 ++-
>>  1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/hw/9pfs/virtio-9p-proxy.c b/hw/9pfs/virtio-9p-proxy.c
>> index 59c7445..fb1ab7b 100644
>> --- a/hw/9pfs/virtio-9p-proxy.c
>> +++ b/hw/9pfs/virtio-9p-proxy.c
>> @@ -1102,12 +1102,13 @@ static int connect_namedsocket(const char *path)
>>      int sockfd, size;
>>      struct sockaddr_un helper;
>>  
>> +    g_assert(strlen(path) < sizeof(helper.sun_path));
> 
> Since we are doing this from within Qemu, I did the below and folded
> that into other sockadd_un.sun_path size checking patch.
> 
> diff --git a/hw/9pfs/virtio-9p-proxy.c b/hw/9pfs/virtio-9p-proxy.c
> index 6bb191ee6ab8..71b6198bbd22 100644
> --- a/hw/9pfs/virtio-9p-proxy.c
> +++ b/hw/9pfs/virtio-9p-proxy.c
> @@ -1100,6 +1100,10 @@ static int connect_namedsocket(const char *path)
>      int sockfd, size;
>      struct sockaddr_un helper;
>  
> +    if (strlen(path) >= sizeof(helper.sun_path)) {
> +        fprintf(stderr, "Socket name too large\n");
> +        return -1;
> +    }
>      sockfd = socket(AF_UNIX, SOCK_STREAM, 0);
>      if (sockfd < 0) {
>          fprintf(stderr, "failed to create socket: %s\n", strerror(errno));
> 
> 
> Let me know if that is ok for you.
> 

That's OK. :-)

-- 
Thanks,
Shannon

>>      sockfd = socket(AF_UNIX, SOCK_STREAM, 0);
>>      if (sockfd < 0) {
>>          fprintf(stderr, "failed to create socket: %s\n", strerror(errno));
>>          return -1;
>>      }
>> -    strcpy(helper.sun_path, path);
>> +    strncpy(helper.sun_path, path, sizeof(helper.sun_path));
>>      helper.sun_family = AF_UNIX;
>>      size = strlen(helper.sun_path) + sizeof(helper.sun_family);
>>      if (connect(sockfd, (struct sockaddr *)&helper, size) < 0) {
>> -- 
>> 1.8.3.1
> 
> 
> .
> 

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2015-03-16  9:36 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-03-13 11:09 [Qemu-devel] [PATCH] hw/9pfs/virtio-9p-proxy: Fix possible overflow Shannon Zhao
2015-03-13 12:50 ` Paolo Bonzini
2015-03-14  1:19   ` Shannon Zhao
2015-03-16  7:58 ` Aneesh Kumar K.V
2015-03-16  9:30   ` Shannon Zhao

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.