Re: [Libvir] PATCH: Avoid buffer out of bounds access in Xen capabilities
On Mon, Apr 28, 2008 at 11:42:47PM +0100, Daniel P. Berrange wrote:
The Xen driver uses a regex to process the hypervisor capabilities
data
"(xen|hvm)-[[:digit:]]+\\.[[:digit:]]+-(x86_32|x86_64|ia64|powerpc64)(p|be)?";
notice how the last match group, however, is optional due to the '?'. The
code processing matches does not check to see if the match is present or
not, and just indexes the string on match 3
if (strncmp (&token[subs[3].rm_so], "p", 1) == 0)
Unfortunately, subs[3].rm_so is -1 if the match was not present, so we're
doing an out of bounds array access here. This is fairly harmless, but it
is still good to fix it. So this patch adds a check for -1 before accessing
the match. I also replace the strncmp() calls with a call to the brand new
STRPREFIX() convenience macro
Okidoc, i assume valgrind spotted that, that's fairly well hidden ...
+1
Daniel
--
Red Hat Virtualization group http://redhat.com/virtualization/
Daniel Veillard | virtualization library http://libvirt.org/
veillard(a)redhat.com | libxml GNOME XML XSLT toolkit http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/