[libvirt] [PATCH 4/4] util: avoid PATH_MAX-sized array

See previous patch for why this is good... * src/util/pci.c (struct _pciDevice, pciGetDevice, pciFreeDevice): Manage path dynamically. Report snprintf overflow. * src/util/hostusb.c (struct _usbDevice, usbGetDevice) (usbFreeDevice): Likewise. --- src/util/hostusb.c | 32 +++++++++++++++++++++++++------- src/util/pci.c | 31 +++++++++++++++++++++++++------ 2 files changed, 50 insertions(+), 13 deletions(-) diff --git a/src/util/hostusb.c b/src/util/hostusb.c index d5b478b..1669e2f 100644 --- a/src/util/hostusb.c +++ b/src/util/hostusb.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2009-2010 Red Hat, Inc. + * Copyright (C) 2009-2011 Red Hat, Inc. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -48,7 +48,7 @@ struct _usbDevice { char name[USB_ADDR_LEN]; /* domain:bus:slot.function */ char id[USB_ID_LEN]; /* product vendor */ - char path[PATH_MAX]; + char *path; }; /* For virReportOOMError() and virReportSystemError() */ @@ -171,13 +171,30 @@ usbGetDevice(unsigned bus, dev->bus = bus; dev->dev = devno; - snprintf(dev->name, sizeof(dev->name), "%.3o:%.3o", - dev->bus, dev->dev); - snprintf(dev->path, sizeof(dev->path), - USB_DEVFS "%03d/%03d", dev->bus, dev->dev); + if (snprintf(dev->name, sizeof(dev->name), "%.3o:%.3o", + dev->bus, dev->dev) >= sizeof(dev->name)) { + usbReportError(VIR_ERR_INTERNAL_ERROR, + _("dev->name buffer overflow: %.3o:%.3o"), + dev->bus, dev->dev); + usbFreeDevice(dev); + return NULL; + } + if (virAsprintf(&dev->path, USB_DEVFS "%03d/%03d", + dev->bus, dev->dev) < 0) { + virReportOOMError(); + usbFreeDevice(dev); + return NULL; + } /* XXX fixme. this should be product/vendor */ - snprintf(dev->id, sizeof(dev->id), "%d %d", dev->bus, dev->dev); + if (snprintf(dev->id, sizeof(dev->id), "%d %d", dev->bus, + dev->dev) >= sizeof(dev->id)) { + usbReportError(VIR_ERR_INTERNAL_ERROR, + _("dev->id buffer overflow: %d %d"), + dev->bus, dev->dev); + usbFreeDevice(dev); + return NULL; + } VIR_DEBUG("%s %s: initialized", dev->id, dev->name); @@ -203,6 +220,7 @@ void usbFreeDevice(usbDevice *dev) { VIR_DEBUG("%s %s: freeing", dev->id, dev->name); + VIR_FREE(dev->path); VIR_FREE(dev); } diff --git a/src/util/pci.c b/src/util/pci.c index 8b2ca42..46a3a83 100644 --- a/src/util/pci.c +++ b/src/util/pci.c @@ -56,7 +56,7 @@ struct _pciDevice { char name[PCI_ADDR_LEN]; /* domain:bus:slot.function */ char id[PCI_ID_LEN]; /* product vendor */ - char path[PATH_MAX]; + char *path; int fd; unsigned initted; @@ -1307,10 +1307,21 @@ pciGetDevice(unsigned domain, dev->slot = slot; dev->function = function; - snprintf(dev->name, sizeof(dev->name), "%.4x:%.2x:%.2x.%.1x", - dev->domain, dev->bus, dev->slot, dev->function); - snprintf(dev->path, sizeof(dev->path), - PCI_SYSFS "devices/%s/config", dev->name); + if (snprintf(dev->name, sizeof(dev->name), "%.4x:%.2x:%.2x.%.1x", + dev->domain, dev->bus, dev->slot, + dev->function) >= sizeof(dev->name)) { + pciReportError(VIR_ERR_INTERNAL_ERROR, + _("dev->name buffer overflow: %.4x:%.2x:%.2x.%.1x"), + dev->domain, dev->bus, dev->slot, dev->function); + pciFreeDevice(dev); + return NULL; + } + if (virAsprintf(&dev->path, PCI_SYSFS "devices/%s/config", + dev->name) < 0) { + virReportOOMError(); + pciFreeDevice(dev); + return NULL; + } if (access(dev->path, F_OK) != 0) { virReportSystemError(errno, @@ -1334,7 +1345,14 @@ pciGetDevice(unsigned domain, } /* strings contain '0x' prefix */ - snprintf(dev->id, sizeof(dev->id), "%s %s", &vendor[2], &product[2]); + if (snprintf(dev->id, sizeof(dev->id), "%s %s", &vendor[2], + &product[2]) >= sizeof(dev->id)) { + pciReportError(VIR_ERR_INTERNAL_ERROR, + _("dev->id buffer overflow: %s %s"), + &vendor[2], &product[2]); + pciFreeDevice(dev); + return NULL; + } VIR_FREE(product); VIR_FREE(vendor); @@ -1351,6 +1369,7 @@ pciFreeDevice(pciDevice *dev) return; VIR_DEBUG("%s %s: freeing", dev->id, dev->name); pciCloseConfig(dev); + VIR_FREE(dev->path); VIR_FREE(dev); } -- 1.7.4.4