[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH]ioemu: fix buffer overflow of vslots

On Wed, Mar 25, 2009 at 06:08:16PM +0800, Cui, Dexuan wrote:
> Assuming we assign n devices, strlen(direct_pci) can be 13n and the length of 
> the old 'vslots' is 13n/3 which is smaller than 5n+1 (1 slot_str takes 5 
> bytes).
> So we have to malloc a bigger buffer for vslots.
> 
> Signed-off-by: Dexuan Cui <dexuan.cui@xxxxxxxxx>
> 
> diff --git a/hw/pass-through.c b/hw/pass-through.c
> index f5cdcdd..07cd4f4 100644
> --- a/hw/pass-through.c
> +++ b/hw/pass-through.c
> @@ -3934,10 +3934,22 @@ int pt_init(PCIBus *e_bus, const char *direct_pci)
>      if ( !(direct_pci_head = direct_pci_p = strdup(direct_pci)) )
>          return 0;
> 
> -    /* the virtual pci slots of all pass-through devs
> -     * with hex format: xx;xx...;
> +    /* The minimal format of direct_pci: xxxx:xx:xx.x-xxxx:xx:xx.x-... It may
> +     * be even longer considering the per-device opts(see the parsing for
> +     * '/local/domain/0/backend/pci/XX/YY/opts-ZZ' in
> +     * xenstore_parse_domain_config().
> +     *
> +     * The format of vslots(virtual pci slots of all pass-through devs):
> +     * 0xXX;0xXX;... (see the code below).
> +     *
> +     * We're sure the length of direct_pci is bigger than that of vslots.
>       */
> -    vslots = qemu_mallocz ( strlen(direct_pci) / 3 );
> +    vslots = qemu_mallocz(strlen(direct_pci) + 1);

This looks good to me.

> +    if ( vslots == NULL )
> +    {
> +        status = -1;

Status is already -1 at this point.

> +        goto err;
> +    }
> 
>      /* Assign given devices to guest */
>      while ( next_bdf(&direct_pci_p, &seg, &b, &d, &f, &opt) )
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-devel

-- 
Simon Horman
  VA Linux Systems Japan K.K., Sydney, Australia Satellite Office
  H: www.vergenet.net/~horms/             W: www.valinux.co.jp/en


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.