[Qemu-ppc] [PULL 05/40] spapr_iommu: use g_strdup

qemu-ppc

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-ppc] [PULL 05/40] spapr_iommu: use g_strdup_printf() instead of sn

From:	David Gibson
Subject:	[Qemu-ppc] [PULL 05/40] spapr_iommu: use g_strdup_printf() instead of snprintf()
Date:	Fri, 8 Sep 2017 20:35:23 +1000

From: Greg Kurz <address@hidden>

Passing a stack allocated buffer of arbitrary length to snprintf()
without checking the return value can cause the resultant strings
to be silently truncated.

Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: David Gibson <address@hidden>
---
 hw/ppc/spapr_iommu.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/hw/ppc/spapr_iommu.c b/hw/ppc/spapr_iommu.c
index ed2d53559a..ed4388bd75 100644
--- a/hw/ppc/spapr_iommu.c
+++ b/hw/ppc/spapr_iommu.c
@@ -252,17 +252,19 @@ static int spapr_tce_table_realize(DeviceState *dev)
 {
     sPAPRTCETable *tcet = SPAPR_TCE_TABLE(dev);
     Object *tcetobj = OBJECT(tcet);
-    char tmp[32];
+    gchar *tmp;
 
     tcet->fd = -1;
     tcet->need_vfio = false;
-    snprintf(tmp, sizeof(tmp), "tce-root-%x", tcet->liobn);
+    tmp = g_strdup_printf("tce-root-%x", tcet->liobn);
     memory_region_init(&tcet->root, tcetobj, tmp, UINT64_MAX);
+    g_free(tmp);
 
-    snprintf(tmp, sizeof(tmp), "tce-iommu-%x", tcet->liobn);
+    tmp = g_strdup_printf("tce-iommu-%x", tcet->liobn);
     memory_region_init_iommu(&tcet->iommu, sizeof(tcet->iommu),
                              TYPE_SPAPR_IOMMU_MEMORY_REGION,
                              tcetobj, tmp, 0);
+    g_free(tmp);
 
     QLIST_INSERT_HEAD(&spapr_tce_tables, tcet, list);
 
@@ -307,7 +309,7 @@ void spapr_tce_set_need_vfio(sPAPRTCETable *tcet, bool 
need_vfio)
 sPAPRTCETable *spapr_tce_new_table(DeviceState *owner, uint32_t liobn)
 {
     sPAPRTCETable *tcet;
-    char tmp[32];
+    gchar *tmp;
 
     if (spapr_tce_find_by_liobn(liobn)) {
         error_report("Attempted to create TCE table with duplicate"
@@ -318,8 +320,9 @@ sPAPRTCETable *spapr_tce_new_table(DeviceState *owner, 
uint32_t liobn)
     tcet = SPAPR_TCE_TABLE(object_new(TYPE_SPAPR_TCE_TABLE));
     tcet->liobn = liobn;
 
-    snprintf(tmp, sizeof(tmp), "tce-table-%x", liobn);
+    tmp = g_strdup_printf("tce-table-%x", liobn);
     object_property_add_child(OBJECT(owner), tmp, OBJECT(tcet), NULL);
+    g_free(tmp);
 
     object_property_set_bool(OBJECT(tcet), true, "realized", NULL);
 
-- 
2.13.5

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-ppc] [PULL 07/40] spapr_iommu: convert TCE table object to realize(), (continued)
- [Qemu-ppc] [PULL 07/40] spapr_iommu: convert TCE table object to realize(), David Gibson, 2017/09/08
- [Qemu-ppc] [PULL 03/40] hw/ppc: CAS reset on early device hotplug, David Gibson, 2017/09/08
- [Qemu-ppc] [PULL 11/40] spapr_iommu: pass object ownership to parent/owner, David Gibson, 2017/09/08
- [Qemu-ppc] [PULL 04/40] spapr_pci: use memory_region_add_subregion() with DMA windows, David Gibson, 2017/09/08
- [Qemu-ppc] [PULL 02/40] hw/ppc: clear pending_events on machine reset, David Gibson, 2017/09/08
  - Re: [Qemu-ppc] [PULL 02/40] hw/ppc: clear pending_events on machine reset, Peter Maydell, 2017/09/12
    - Re: [Qemu-ppc] [PULL 02/40] hw/ppc: clear pending_events on machine reset, Greg Kurz, 2017/09/12
- [Qemu-ppc] [PULL 12/40] spapr_iommu: unregister vmstate at unrealize time, David Gibson, 2017/09/08
- [Qemu-ppc] [PULL 08/40] spapr_pci: parent the MSI memory region to the PHB, David Gibson, 2017/09/08
- [Qemu-ppc] [PULL 10/40] spapr_drc: pass object ownership to parent/owner, David Gibson, 2017/09/08
- [Qemu-ppc] [PULL 05/40] spapr_iommu: use g_strdup_printf() instead of snprintf(), David Gibson <=
- [Qemu-ppc] [PULL 09/40] spapr_drc: add unrealize method to physical DRC class, David Gibson, 2017/09/08
- [Qemu-ppc] [PULL 01/40] hw/ppc/spapr_drc.c: change spapr_drc_needed to use drc->dev, David Gibson, 2017/09/08
- [Qemu-ppc] [PULL 14/40] e500: Use cpu_index instead of vcpu_dt_id, David Gibson, 2017/09/08
- [Qemu-ppc] [PULL 17/40] booke206: fix booke206_tlbnps for mav 2.0, David Gibson, 2017/09/08
- [Qemu-ppc] [PULL 18/40] booke206: fix tlbnps for fixed size TLB, David Gibson, 2017/09/08
- [Qemu-ppc] [PULL 06/40] spapr_drc: use g_strdup_printf() instead of snprintf(), David Gibson, 2017/09/08
- [Qemu-ppc] [PULL 20/40] ppc64: introduce e6500, David Gibson, 2017/09/08
- [Qemu-ppc] [PULL 19/40] booke206: allow to specify an mmucfg value at the init, David Gibson, 2017/09/08
- [Qemu-ppc] [PULL 15/40] ppc: spapr: Rename cpu_dt_id to vcpu_id, David Gibson, 2017/09/08
- [Qemu-ppc] [PULL 21/40] spapr_iommu: Realloc guest visible TCE table when hot(un)plugging vfio-pci, David Gibson, 2017/09/08

Prev by Date: [Qemu-ppc] [PULL 10/40] spapr_drc: pass object ownership to parent/owner
Next by Date: [Qemu-ppc] [PULL 09/40] spapr_drc: add unrealize method to physical DRC class
Previous by thread: [Qemu-ppc] [PULL 10/40] spapr_drc: pass object ownership to parent/owner
Next by thread: [Qemu-ppc] [PULL 09/40] spapr_drc: add unrealize method to physical DRC class
Index(es):
- Date
- Thread