[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH v8.0.1 01/36] vnc: avoid underflow when accessing user-provided a
|
From: |
Michael Tokarev |
|
Subject: |
[PATCH v8.0.1 01/36] vnc: avoid underflow when accessing user-provided address |
|
Date: |
Wed, 17 May 2023 11:00:21 +0300 |
From: Paolo Bonzini <pbonzini@redhat.com>
If hostlen is zero, there is a possibility that addrstr[hostlen - 1]
underflows and, if a closing bracked is there, hostlen - 2 is passed
to g_strndup() on the next line. If websocket==false then
addrstr[0] would be a colon, but if websocket==true this could in
principle happen.
Fix it by checking hostlen.
Reported by Coverity.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 3f9c41c5df9617510d8533cf6588172efb3df34b)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
---
ui/vnc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ui/vnc.c b/ui/vnc.c
index bbd8b6baae..9d8a24dd8a 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -3751,7 +3751,7 @@ static int vnc_display_get_address(const char *addrstr,
addr->type = SOCKET_ADDRESS_TYPE_INET;
inet = &addr->u.inet;
- if (addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
+ if (hostlen && addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
inet->host = g_strndup(addrstr + 1, hostlen - 2);
} else {
inet->host = g_strndup(addrstr, hostlen);
--
2.39.2
- [PATCH v8.0.1 00/36] Patch Round-up for stable 8.0.1, freeze on 2023-05-27, Michael Tokarev, 2023/05/17
- [PATCH v8.0.1 03/36] hw/timer/imx_epit: don't shadow variable, Michael Tokarev, 2023/05/17
- [PATCH v8.0.1 02/36] target/i386: Change wrong XFRM value in SGX CPUID leaf, Michael Tokarev, 2023/05/17
- [PATCH v8.0.1 09/36] target/arm: Initialize debug capabilities only once, Michael Tokarev, 2023/05/17
- [PATCH v8.0.1 06/36] block/monitor: Fix crash when executing HMP commit, Michael Tokarev, 2023/05/17
- [PATCH v8.0.1 12/36] hw/arm/aspeed: Use arm_write_bootloader() to write the bootloader, Michael Tokarev, 2023/05/17
- [PATCH v8.0.1 01/36] vnc: avoid underflow when accessing user-provided address,
Michael Tokarev <=
- [PATCH v8.0.1 04/36] hw/timer/imx_epit: fix limit check, Michael Tokarev, 2023/05/17
- [PATCH v8.0.1 08/36] docs/about/deprecated.rst: Add "since 7.1" tag to dtb-kaslr-seed deprecation, Michael Tokarev, 2023/05/17
- [PATCH v8.0.1 10/36] hw/net/msf2-emac: Don't modify descriptor in-place in emac_store_desc(), Michael Tokarev, 2023/05/17
- [PATCH v8.0.1 07/36] qemu-options: finesse the recommendations around -blockdev, Michael Tokarev, 2023/05/17
- [PATCH v8.0.1 05/36] acpi: pcihp: allow repeating hot-unplug requests, Michael Tokarev, 2023/05/17
- [PATCH v8.0.1 11/36] hw/arm/boot: Make write_bootloader() public as arm_write_bootloader(), Michael Tokarev, 2023/05/17
- [PATCH v8.0.1 16/36] hw/sd/allwinner-sdhost: Correctly byteswap descriptor fields, Michael Tokarev, 2023/05/17
- [PATCH v8.0.1 23/36] block: bdrv/blk_co_unref() for calls in coroutine context, Michael Tokarev, 2023/05/17
- [PATCH v8.0.1 14/36] hw/intc/allwinner-a10-pic: Don't use set_bit()/clear_bit(), Michael Tokarev, 2023/05/17
- [PATCH v8.0.1 22/36] block: Consistently call bdrv_activate() outside coroutine, Michael Tokarev, 2023/05/17