Hi,
On Mon, 31 Mar 2008 14:28:26 +0900
Simon Horman <horms@xxxxxxxxxxxx> wrote:
> On Mon, Mar 31, 2008 at 01:25:19PM +0900, Itsuro ODA wrote:
> > This patch is for xen-3.2.0.
> >
> > --- common/kexec.c.org 2008-03-25 09:29:39.000000000 +0900
> > +++ common/kexec.c 2008-03-28 12:50:33.000000000 +0900
> > @@ -43,6 +43,9 @@
>
> [snip]
>
> > +void vmcoreinfo_append_str(const char *fmt, ...)
> > +{
> > + va_list args;
> > + char buf[0x50];
> > + int r;
> > + size_t note_size = sizeof(Elf_Note) +
> > ELFNOTE_ALIGN(strlen(VMCOREINFO_NOTE_NAME) + 1);
> > +
> > + va_start(args, fmt);
> > + r = vsnprintf(buf, sizeof(buf), fmt, args);
> > + va_end(args);
> > +
> > + if (r + vmcoreinfo_size + note_size > VMCOREINFO_BYTES)
> > + r = VMCOREINFO_BYTES - vmcoreinfo_size - note_size;
> > +
> > + memcpy(&vmcoreinfo_data[note_size + vmcoreinfo_size], buf, r);
> > +
> > + vmcoreinfo_size += r;
> > +}
>
> Hi Oda-san,
>
> It looks like it is possible for both vsnprintf() and
> the "if (r + vmcoreinfo_size + note_size > VMCOREINFO_BYTES)" logic
> to truncate a feild. Is this likely to be a problem in practice,
> or is the code just guarding against malformed input?
just guarding against malformed input.
> Also, this code looks like it will be need to up-ported due to changes
> that I recently made to common/kexec.c and the range fetching portion of
> the hypercall in unstable. This shouldn't be a big deal, just something
> that is worth mentioning.
I see.
Thanks.
--
Itsuro ODA <oda@xxxxxxxxxxxxx>
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
Home