Re: [libvirt] [PATCH v2 python 2/2] add check for pycpumap length
In subject:
"Don't overrun buffer when converting cpumap" perhaps? That would IMHO
explain the patch a bit more when looking at shortlog.
On Fri, Oct 28, 2016 at 13:41:10 +0300, Konstantin Neumoin wrote:
If we pass large(more than cpunum) cpu mask to any
libvirt_virDomainPin*
function, it could leads to crash. So we have to check tuple size in
virPyCpuMapToChar and ignore extra tuple members.
Signed-off-by: Konstantin Neumoin <kneumoin(a)virtuozzo.com>
---
libvirt-utils.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/libvirt-utils.c b/libvirt-utils.c
index aaf4bea..3fc0fdd 100644
--- a/libvirt-utils.c
+++ b/libvirt-utils.c
@@ -589,7 +589,8 @@ virPyDictToTypedParams(PyObject *dict,
/* virPyCpuMapToChar
- * @cpunum: the number of cpus
+ * @cpunum: the number of cpus, only this first elements make sense,
+ * so others will be ignored(filled by zeros).
So this sentence belongs to the previous patch and I'd put it below into
the text explaining how this variable is treated.
* @pycpumap: source Py cpu map
* @cpumapptr: destination cpu map
* @cpumaplen: destination cpu map length
@@ -604,7 +605,7 @@ virPyCpuMapToChar(int cpunum,
unsigned char **cpumapptr,
int *cpumaplen)
{
- int tuple_size;
+ int tuple_size, rel_cpumaplen;
size_t i;
int i_retval = -1;
*cpumapptr = NULL;
@@ -624,7 +625,9 @@ virPyCpuMapToChar(int cpunum,
goto exit;
}
- for (i = 0; i < tuple_size; i++) {
+ rel_cpumaplen = MIN(cpunum, tuple_size);
+
+ for (i = 0; i < rel_cpumaplen; i++) {
You can avoid the temporary variable by checking both tuple_size and
cpumaplen in the condition.
PyObject *flag = PyTuple_GetItem(pycpumap, i);
bool b;
Not visible in the context is the second for loop that clears the rest
of the bits from the tuple which exceed "cpumap". This is not necessary
any more since you now fill only the first elements.
Peter
Attachments:
- signature.asc (application/pgp-signature — 801 bytes)