[libvirt] [PATCH] buf: protect against integer overflow

It's unlikely that we'll ever want to escape a string as long as INT_MAX/6, but adding this check can't hurt. * src/util/buf.c (virBufferEscapeSexpr, virBufferEscapeString): Check for (unlikely) overflow. --- src/util/buf.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/util/buf.c b/src/util/buf.c index 750e277..5002486 100644 --- a/src/util/buf.c +++ b/src/util/buf.c @@ -311,7 +311,8 @@ virBufferEscapeString(const virBufferPtr buf, const char *format, const char *st return; } - if (VIR_ALLOC_N(escaped, 6 * len + 1) < 0) { + if (xalloc_oversized(6, len) || + VIR_ALLOC_N(escaped, 6 * len + 1) < 0) { virBufferSetError(buf); return; } @@ -398,7 +399,8 @@ virBufferEscapeSexpr(const virBufferPtr buf, return; } - if (VIR_ALLOC_N(escaped, 2 * len + 1) < 0) { + if (xalloc_oversized(2, len) || + VIR_ALLOC_N(escaped, 2 * len + 1) < 0) { virBufferSetError(buf); return; } -- 1.7.4.4

2011/6/24 Eric Blake <eblake@redhat.com>:
It's unlikely that we'll ever want to escape a string as long as INT_MAX/6, but adding this check can't hurt.
* src/util/buf.c (virBufferEscapeSexpr, virBufferEscapeString): Check for (unlikely) overflow. --- src/util/buf.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-)
ACK. -- Matthias Bolte http://photron.blogspot.com

On 06/24/2011 02:27 PM, Matthias Bolte wrote:
2011/6/24 Eric Blake <eblake@redhat.com>:
It's unlikely that we'll ever want to escape a string as long as INT_MAX/6, but adding this check can't hurt.
* src/util/buf.c (virBufferEscapeSexpr, virBufferEscapeString): Check for (unlikely) overflow. --- src/util/buf.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-)
ACK.
Thanks; pushed. There are remaining instances of 'ALLOC.* \* ' in the tree, but they all appear to be safe (both quantities can be verified to be small enough that the product will never overflow, in part because of the up-front filtering I just did for virDomainGetVcpus). -- Eric Blake eblake@redhat.com +1-801-349-2682 Libvirt virtualization library http://libvirt.org
participants (2)
-
Eric Blake
-
Matthias Bolte