[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v5 10/12] libxl: ocaml: fix memory corruption when converting string and key/values lists

To: Rob Hoes <rob.hoes@xxxxxxxxxx>
From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Date: Tue, 26 Nov 2013 18:01:51 +0000
Cc: ian.jackson@xxxxxxxxxx, dave.scott@xxxxxxxxxxxxx, ian.campbell@xxxxxxxxxx, xen-devel@xxxxxxxxxxxxx
Delivery-date: Tue, 26 Nov 2013 18:02:23 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 26/11/13 17:52, Rob Hoes wrote:
> Found by Coverty. CIDs: 1128562 1128563 1128564 1128565.
>
> Signed-off-by: Rob Hoes <rob.hoes@xxxxxxxxxx>

It is worth further stating that this is due to incorrect indirections,
just like b0be2b126ea75a83a3778b4e1710d248f92cf528

Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

FWIW, the libxl_string_list tyepdef makes it far too easy to do this. 
It might be worth trying to turn it into an opaque type to reduce these
kinds of errors.

> ---
>  tools/ocaml/libs/xl/xenlight_stubs.c |    6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/tools/ocaml/libs/xl/xenlight_stubs.c 
> b/tools/ocaml/libs/xl/xenlight_stubs.c
> index 7012045..a2d47f9 100644
> --- a/tools/ocaml/libs/xl/xenlight_stubs.c
> +++ b/tools/ocaml/libs/xl/xenlight_stubs.c
> @@ -159,8 +159,8 @@ static value Val_key_value_list(libxl_key_value_list 
> *c_val)
>  
>       list = Val_emptylist;
>       for (i = libxl_string_list_length((libxl_string_list *) c_val) - 1; i 
> >= 0; i -= 2) {
> -             val = caml_copy_string((char *) c_val[i]);
> -             key = caml_copy_string((char *) c_val[i - 1]);
> +             val = caml_copy_string((*c_val)[i]);
> +             key = caml_copy_string((*c_val)[i - 1]);
>               kv = caml_alloc_tuple(2);
>               Store_field(kv, 0, key);
>               Store_field(kv, 1, val);
> @@ -201,7 +201,7 @@ static value Val_string_list(libxl_string_list *c_val)
>  
>       list = Val_emptylist;
>       for (i = libxl_string_list_length(c_val) - 1; i >= 0; i--) {
> -             string = caml_copy_string((char *) c_val[i]);
> +             string = caml_copy_string((*c_val)[i]);
>               cons = caml_alloc(2, 0);
>               Store_field(cons, 0, string);   // head
>               Store_field(cons, 1, list);     // tail


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

References:
- [Xen-devel] [PATCH v5 00/12] libxl: ocaml: improve the bindings
  - From: Rob Hoes
- [Xen-devel] [PATCH v5 10/12] libxl: ocaml: fix memory corruption when converting string and key/values lists
  - From: Rob Hoes

Prev by Date: Re: [Xen-devel] pvgrub2 is merged
Next by Date: Re: [Xen-devel] [PATCH v5 11/12] libxl: ocaml: remove dead code in xentoollog bindings
Previous by thread: [Xen-devel] [PATCH v5 10/12] libxl: ocaml: fix memory corruption when converting string and key/values lists
Next by thread: Re: [Xen-devel] [PATCH v5 10/12] libxl: ocaml: fix memory corruption when converting string and key/values lists
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.