[PATCH] storage_file_probe: change maximum len value in vmdk4GetBackingStore
From: Anastasia Belova <abelova@astralinux.ru> desc length should be always less than VIR_STORAGE_MAX_HEADER. If len = VIR_STORAGE_MAX_HEADER, desc may be out of bounds. Fixes: 296032bfb2 ("util: extract storage file probe code into virtstoragefileprobe.c") Signed-off-by: Anastasia Belova <abelova@astralinux.ru> --- src/storage_file/storage_file_probe.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/storage_file/storage_file_probe.c b/src/storage_file/storage_file_probe.c index 9465af5d96..0dcc9c2c54 100644 --- a/src/storage_file/storage_file_probe.c +++ b/src/storage_file/storage_file_probe.c @@ -586,8 +586,8 @@ vmdk4GetBackingStore(char **res, return BACKING_STORE_INVALID; len = buf_size - 0x200; - if (len > VIR_STORAGE_MAX_HEADER) - len = VIR_STORAGE_MAX_HEADER; + if (len >= VIR_STORAGE_MAX_HEADER) + len = VIR_STORAGE_MAX_HEADER - 1; memcpy(desc, buf + 0x200, len); desc[len] = '\0'; start = strstr(desc, prefix); -- 2.30.2
On a Wednesday in 2023, Анастасия Белова wrote:
From: Anastasia Belova <abelova@astralinux.ru>
desc length should be always less than VIR_STORAGE_MAX_HEADER. If len = VIR_STORAGE_MAX_HEADER, desc may be out of bounds.
Fixes: 296032bfb2 ("util: extract storage file probe code into virtstoragefileprobe.c")
That commit only moved the code. The off-by-one error was introduced by: commit 348b4e254bea98c83107887c0cf64c6572063d64 storage: always probe type with buffer
Signed-off-by: Anastasia Belova <abelova@astralinux.ru> --- src/storage_file/storage_file_probe.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
Reviewed-by: Ján Tomko <jtomko@redhat.com> Jano
participants (2)
-
Ján Tomko -
Анастасия Белова