[libvirt] [PATCH] phyp: Fixing possible buffer overflow

The line src/phyp/phyp_driver.c:427 was crashing by buffer overflow if the return of the command wasn't <=10. The highest number for a LPAR ID is 256 per machine, no need to allocate 10 bytes for it. So, adjusting the correct size (+1 byte for the '\n') and checking for errors. --- src/phyp/phyp_driver.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) diff --git a/src/phyp/phyp_driver.c b/src/phyp/phyp_driver.c index ee1e21b..f8fd29b 100644 --- a/src/phyp/phyp_driver.c +++ b/src/phyp/phyp_driver.c @@ -383,7 +383,7 @@ phypListDomainsGeneric(virConnectPtr conn, int *ids, int nids, int got = 0; char *char_ptr; unsigned int i = 0, j = 0; - char id_c[10]; + char id_c[4]; char *cmd = NULL; char *ret = NULL; const char *state; @@ -394,7 +394,7 @@ phypListDomainsGeneric(virConnectPtr conn, int *ids, int nids, else state = " "; - memset(id_c, 0, 10); + memset(id_c, 0, 4); virBufferAddLit(&buf, "lssyscfg -r lpar"); if (system_type == HMC) @@ -410,6 +410,11 @@ phypListDomainsGeneric(virConnectPtr conn, int *ids, int nids, ret = phypExec(session, cmd, &exit_status, conn); + if (strlen(ret) > 4) { + VIR_ERROR0(ret); + goto err; + } + /* I need to parse the textual return in order to get the ret */ if (exit_status < 0 || ret == NULL) goto err; -- 1.7.0.4