qemu-s390x
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 2/2] hw/scsi/scsi-disk: Avoid buffer overrun parsing 'loadpar


From: Paolo Bonzini
Subject: Re: [PATCH 2/2] hw/scsi/scsi-disk: Avoid buffer overrun parsing 'loadparam'
Date: Wed, 20 Nov 2024 10:10:51 +0100
User-agent: Mozilla Thunderbird

On 11/20/24 09:53, Philippe Mathieu-Daudé wrote:
@@ -112,7 +113,7 @@ struct SCSIDiskState {
      char *vendor;
      char *product;
      char *device_id;
-    char *loadparm;     /* only for s390x */
+    char loadparm[LOADPARM_LEN]; /* only for s390x */

You would need a +1 here because of

static char *scsi_property_get_loadparm(Object *obj, Error **errp)
{
    return g_strdup(SCSI_DISK_BASE(obj)->loadparm);
}

expecting NUL-termination as well.

-    lp_str = g_malloc0(strlen(value));

I have sent a pull request that simply adds the +1 here, also because...

-    if (!qdev_prop_sanitize_s390x_loadparm(lp_str, value, errp)) {
-        g_free(lp_str);
-        return;
-    }
-    SCSI_DISK_BASE(obj)->loadparm = lp_str;
+    qdev_prop_sanitize_s390x_loadparm(SCSI_DISK_BASE(obj)->loadparm, value, 
errp);

... this would overwrite SCSI_DISK_BASE(obj)->loadparm in case of error. Note how the code is setting loadparm only after a successful qdev_prop_sanitize_s390x_loadparm. That's not a problem in practice, because failing to set a property is usually fatal, but not good style either.

Thanks,

Paolo




reply via email to

[Prev in Thread] Current Thread [Next in Thread]