[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-stable] [Qemu-devel] [PATCH] slirp: check sscanf result when e
|
From: |
Philippe Mathieu-Daudé |
|
Subject: |
Re: [Qemu-stable] [Qemu-devel] [PATCH] slirp: check sscanf result when emulating ident |
|
Date: |
Sat, 2 Mar 2019 18:42:42 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1 |
Hi William, Samuel,
On 3/1/19 10:45 PM, William Bowling wrote:
> When emulating ident in tcp_emu, if the strchr checks passed but the
> sscanf check failed, two uninitialized variables would be copied and
> sent in the reply.
William: How did you notice that? Using a static analyzer?
Samuel: since this diff is not obvious without looking at the context
(also due to the code re-indent), can you improve the commit
description, such (or better):
"Move this code inside the if(sscanf()) clause".
We have a data leak, Cc'ing qemu-stable.
(Adding the address I noticed you Cc'ed address@hidden, so that
confirms my guess).
>
> Signed-off-by: William Bowling <address@hidden>
Reviewed-by: Philippe Mathieu-Daudé <address@hidden>
Thanks,
Phil.
> ---
> slirp/tcp_subr.c | 12 ++++++------
> 1 file changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
> index 262a42d6c8..73a160ba16 100644
> --- a/slirp/tcp_subr.c
> +++ b/slirp/tcp_subr.c
> @@ -664,12 +664,12 @@ tcp_emu(struct socket *so, struct mbuf *m)
> break;
> }
> }
> - }
> - so_rcv->sb_cc = snprintf(so_rcv->sb_data,
> - so_rcv->sb_datalen,
> - "%d,%d\r\n", n1,
> n2);
> - so_rcv->sb_rptr = so_rcv->sb_data;
> - so_rcv->sb_wptr = so_rcv->sb_data +
> so_rcv->sb_cc;
> + so_rcv->sb_cc = snprintf(so_rcv->sb_data,
> + so_rcv->sb_datalen,
> + "%d,%d\r\n", n1, n2);
> + so_rcv->sb_rptr = so_rcv->sb_data;
> + so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
> + }
> }
> m_free(m);
> return 0;
>
- Re: [Qemu-stable] [Qemu-devel] [PATCH] slirp: check sscanf result when emulating ident,
Philippe Mathieu-Daudé <=