[Libvir] [PATCH] Don't access line[-1] for a zero-length "line" from fgets.

In reviewing the StorageAPI patches, I saw that some bogus input could cause a segfault. There's similar code in libvirt.c, so this fixes both. Note that virsh.c does this, too, but it already has the required guard. The src/libvirt.c patch applies to the trunk, but isn't a big deal, since it's in the sample AuthCallback function. The storage_backend.c part applies to the work-in-progress mercurial queue, but does matter, because we have no guarantee what the exec'd command will output. Don't access line[-1] for a zero-length "line" from fgets. A NUL byte at beginning of input, or just after a newline would provoke an invalid buf[-1] access (possible segfault). * src/libvirt.c (virConnectAuthCallbackDefault): * src/storage_backend.c (virStorageBackendRunProgRegex): Signed-off-by: Jim Meyering <meyering@redhat.com> --- src/libvirt.c | 6 ++++-- src/storage_backend.c | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/src/libvirt.c b/src/libvirt.c index 2972382..331c937 100644 --- a/src/libvirt.c +++ b/src/libvirt.c @@ -74,6 +74,7 @@ static int virConnectAuthCallbackDefault(virConnectCredentialPtr cred, for (i = 0 ; i < ncred ; i++) { char buf[1024]; char *bufptr = buf; + size_t len; if (printf("%s:", cred[i].prompt) < 0) return -1; @@ -92,8 +93,9 @@ static int virConnectAuthCallbackDefault(virConnectCredentialPtr cred, } return -1; } - if (buf[strlen(buf)-1] == '\n') - buf[strlen(buf)-1] = '\0'; + len = strlen(buf); + if (len != 0 && buf[len-1] == '\n') + buf[len-1] = '\0'; break; case VIR_CRED_PASSPHRASE: diff --git a/src/storage_backend.c b/src/storage_backend.c index 32a8d65..58d8642 100644 --- a/src/storage_backend.c +++ b/src/storage_backend.c @@ -338,7 +338,7 @@ int virStorageBackendRunProgRegex(virConnectPtr conn, while (fgets(line, sizeof(line), list) != NULL) { /* Strip trailing newline */ int len = strlen(line); - if (line[len-1] == '\n') + if (len && line[len-1] == '\n') line[len-1] = '\0'; for (i = 0 ; i <= maxReg && i < nregex ; i++) { -- 1.5.4.rc4.1.g1895

Jim Meyering wrote:
In reviewing the StorageAPI patches, I saw that some bogus input could cause a segfault. There's similar code in libvirt.c, so this fixes both. Note that virsh.c does this, too, but it already has the required guard.
The src/libvirt.c patch applies to the trunk, but isn't a big deal, since it's in the sample AuthCallback function.
The storage_backend.c part applies to the work-in-progress mercurial queue, but does matter, because we have no guarantee what the exec'd command will output.
+1. Rich. -- Emerging Technologies, Red Hat - http://et.redhat.com/~rjones/ Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SL4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 03798903

On Mon, Jan 21, 2008 at 01:37:25PM +0100, Jim Meyering wrote:
In reviewing the StorageAPI patches, I saw that some bogus input could cause a segfault. There's similar code in libvirt.c, so this fixes both. Note that virsh.c does this, too, but it already has the required guard.
Oops ! +1 Daniel -- Red Hat Virtualization group http://redhat.com/virtualization/ Daniel Veillard | virtualization library http://libvirt.org/ veillard@redhat.com | libxml GNOME XML XSLT toolkit http://xmlsoft.org/ http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/

Daniel Veillard <veillard@redhat.com> wrote:
On Mon, Jan 21, 2008 at 01:37:25PM +0100, Jim Meyering wrote:
In reviewing the StorageAPI patches, I saw that some bogus input could cause a segfault. There's similar code in libvirt.c, so this fixes both. Note that virsh.c does this, too, but it already has the required guard.
Oops ! +1
Applied. BTW, I noticed I had not committed some ChangeLog file entries last week (though the content _is_ in the cvs commit logs), so I added those at the same time.
participants (3)
-
Daniel Veillard
-
Jim Meyering
-
Richard W.M. Jones