This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-devel] [PATCH] libxenlight: fix heap overflow when domid_to_nam

To: Eamon Walsh <ewalsh@xxxxxxxxxxxxx>
Subject: Re: [Xen-devel] [PATCH] libxenlight: fix heap overflow when domid_to_name returns NULL
From: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
Date: Mon, 7 Mar 2011 16:44:27 +0000
Cc: Ian Campbell <Ian.Campbell@xxxxxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxx>, Stefano Stabellini <Stefano.Stabellini@xxxxxxxxxxxxx>
Delivery-date: Mon, 07 Mar 2011 08:46:38 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4D74FAAF.7040105@xxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <4D702468.9040206@xxxxxxxxxxxxx> <1299232954.6552.242.camel@xxxxxxxxxxxxxxxxxxxxxx> <4D74FAAF.7040105@xxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Alpine 2.00 (DEB 1167 2008-08-23)
On Mon, 7 Mar 2011, Eamon Walsh wrote:
> On 03/04/2011 05:02 AM, Ian Campbell wrote:
> > On Thu, 2011-03-03 at 23:29 +0000, Eamon Walsh wrote:
> >> The function flexarray_vappend() will stop at the first NULL
> >> argument.  In libxl_device_vfb_add(), this has been observed
> >> to result in keys being added to the backend array without
> >> associated values in cases where the value can be NULL.
> > If these values are NULL should we be writing them at all? e.g. for:
> >     flexarray_vappend(back, foo, bar);
> > where bar may be NULL shouldn't it become:
> >     if (bar) 
> >             flexarray_vappend(back, foo, bar);
> > or perhaps:
> >     flexarray_vappend(back, foo, bar ? bar : "");
> > ?
> >
> If the value is NULL, the key is skipped and not written.  This is because of 
> a patch I submitted to change the xs_writev() function, which was calling 
> strlen(NULL) previously.  See:
> http://lists.xensource.com/archives/html/xen-devel/2010-03/msg00703.html
> However this behavior is not obvious.  Checking the value earlier and leaving 
> it off the list makes sense.

I think me and Ian reached an agreement on the introduction of
flexarray_append_pair that would be very similar to flexarray_append but
takes two ptr arguments.
flexarray_append_pair would be used instead of flexarray_vappend in
What do you think? Would you be up for writing the patch?

Xen-devel mailing list