This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-devel] [PATCH] libxenlight: fix heap overflow when domid_to_nam

To: Ian Campbell <Ian.Campbell@xxxxxxxxxxxxx>
Subject: Re: [Xen-devel] [PATCH] libxenlight: fix heap overflow when domid_to_name returns NULL
From: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
Date: Mon, 7 Mar 2011 13:12:40 +0000
Cc: Eamon Walsh <ewalsh@xxxxxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxx>, Stefano Stabellini <Stefano.Stabellini@xxxxxxxxxxxxx>
Delivery-date: Mon, 07 Mar 2011 05:13:32 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <1299232954.6552.242.camel@xxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <4D702468.9040206@xxxxxxxxxxxxx> <1299232954.6552.242.camel@xxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Alpine 2.00 (DEB 1167 2008-08-23)
On Fri, 4 Mar 2011, Ian Campbell wrote:
> On Thu, 2011-03-03 at 23:29 +0000, Eamon Walsh wrote:
> > The function flexarray_vappend() will stop at the first NULL
> > argument.  In libxl_device_vfb_add(), this has been observed
> > to result in keys being added to the backend array without
> > associated values in cases where the value can be NULL.
> If these values are NULL should we be writing them at all? e.g. for:
>       flexarray_vappend(back, foo, bar);
> where bar may be NULL shouldn't it become:
>       if (bar) 
>               flexarray_vappend(back, foo, bar);
> or perhaps:
>       flexarray_vappend(back, foo, bar ? bar : "");
> ?

This is actually a serious issue because it means that every time
flexarray_vappend is used and the argument is NULL the behaviour is
going to be different from what the coder expected.
Maybe flexarray_vappend should assume that the number of args is odd and
greater than 2?
At least in that case flexarray_vappend would only break if the user
misused the function.
Or we could use a terminator other than NULL...

Xen-devel mailing list