xen-devel

[Top] [All Lists]

Re: [Xen-devel] [PATCH]ioemu: fix buffer overflow of vslots

from [Simon Horman]

[Permanent Link][Original]

To:	"Cui, Dexuan" <dexuan.cui@xxxxxxxxx>
Subject:	Re: [Xen-devel] [PATCH]ioemu: fix buffer overflow of vslots
From:	Simon Horman <horms@xxxxxxxxxxxx>
Date:	Thu, 26 Mar 2009 16:16:57 +1100
Cc:	xen-devel@xxxxxxxxxxxxxxxxxxx, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
Delivery-date:	Wed, 25 Mar 2009 22:17:23 -0700
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to:	<EADF0A36011179459010BDF5142A45750FA04265@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-help:	<mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id:	Xen developer discussion <xen-devel.lists.xensource.com>
List-post:	<mailto:xen-devel@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References:	<EADF0A36011179459010BDF5142A45750FA04265@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender:	xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent:	Mutt/1.5.18 (2008-05-17)

On Wed, Mar 25, 2009 at 06:08:16PM +0800, Cui, Dexuan wrote:
> Assuming we assign n devices, strlen(direct_pci) can be 13n and the length of 
> the old 'vslots' is 13n/3 which is smaller than 5n+1 (1 slot_str takes 5 
> bytes).
> So we have to malloc a bigger buffer for vslots.
> 
> Signed-off-by: Dexuan Cui <dexuan.cui@xxxxxxxxx>
> 
> diff --git a/hw/pass-through.c b/hw/pass-through.c
> index f5cdcdd..07cd4f4 100644
> --- a/hw/pass-through.c
> +++ b/hw/pass-through.c
> @@ -3934,10 +3934,22 @@ int pt_init(PCIBus *e_bus, const char *direct_pci)
>      if ( !(direct_pci_head = direct_pci_p = strdup(direct_pci)) )
>          return 0;
> 
> -    /* the virtual pci slots of all pass-through devs
> -     * with hex format: xx;xx...;
> +    /* The minimal format of direct_pci: xxxx:xx:xx.x-xxxx:xx:xx.x-... It may
> +     * be even longer considering the per-device opts(see the parsing for
> +     * '/local/domain/0/backend/pci/XX/YY/opts-ZZ' in
> +     * xenstore_parse_domain_config().
> +     *
> +     * The format of vslots(virtual pci slots of all pass-through devs):
> +     * 0xXX;0xXX;... (see the code below).
> +     *
> +     * We're sure the length of direct_pci is bigger than that of vslots.
>       */
> -    vslots = qemu_mallocz ( strlen(direct_pci) / 3 );
> +    vslots = qemu_mallocz(strlen(direct_pci) + 1);

This looks good to me.

> +    if ( vslots == NULL )
> +    {
> +        status = -1;

Status is already -1 at this point.

> +        goto err;
> +    }
> 
>      /* Assign given devices to guest */
>      while ( next_bdf(&direct_pci_p, &seg, &b, &d, &f, &opt) )
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-devel

-- 
Simon Horman
  VA Linux Systems Japan K.K., Sydney, Australia Satellite Office
  H: www.vergenet.net/~horms/             W: www.valinux.co.jp/en


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
[Xen-devel] [PATCH]ioemu: fix buffer overflow of vslots, Cui, Dexuan Re: [Xen-devel] [PATCH]ioemu: fix buffer overflow of vslots, Simon Horman <= RE: [Xen-devel] [PATCH]ioemu: fix buffer overflow of vslots, Cui, Dexuan

Previous by Date:	Re: [Xen-devel] [PATCH] ioemu: unmap INTx interrupt on hot-remove, Simon Horman
Next by Date:	Re: [Xen-devel] [PATCH]xend: fix hotplug for integrated devices, Simon Horman
Previous by Thread:	[Xen-devel] [PATCH]ioemu: fix buffer overflow of vslots, Cui, Dexuan
Next by Thread:	RE: [Xen-devel] [PATCH]ioemu: fix buffer overflow of vslots, Cui, Dexuan
Indexes:	[Date] [Thread] [Top] [All Lists]