projects / pve-qemu-kvm.git / blame
| Commit | Line | Data |
|---|---|---|
| 1c771352 WB |
1 | From b0363f4c0e91671064dd7ffece8a6923c8dcaf20 Mon Sep 17 00:00:00 2001 |
| 2 | From: Prasad J Pandit <pjp@fedoraproject.org> | |
| 3 | Date: Thu, 17 Dec 2015 17:47:15 +0530 | |
| 4 | Subject: [PATCH] hmp: avoid redundant null termination of buffer | |
| 5 | ||
| 6 | When processing 'sendkey' command, hmp_sendkey routine null | |
| 7 | terminates the 'keyname_buf' array. This results in an OOB write | |
| 8 | issue, if 'keyname_len' was to fall outside of 'keyname_buf' array. | |
| 9 | Removed the redundant null termination, as pstrcpy routine already | |
| 10 | null terminates the target buffer. | |
| 11 | ||
| 12 | Reported-by: Ling Liu <liuling-it@360.cn> | |
| 13 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | |
| 14 | --- | |
| 15 | hmp.c | 2 -- | |
| 16 | 1 file changed, 2 deletions(-) | |
| 17 | ||
| 18 | diff --git a/hmp.c b/hmp.c | |
| 19 | index 2140605..e530c9c 100644 | |
| 20 | --- a/hmp.c | |
| 21 | +++ b/hmp.c | |
| 22 | @@ -1746,9 +1746,7 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict) | |
| 23 | /* Be compatible with old interface, convert user inputted "<" */ | |
| 24 | if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) { | |
| 25 | pstrcpy(keyname_buf, sizeof(keyname_buf), "less"); | |
| 26 | - keyname_len = 4; | |
| 27 | } | |
| 28 | - keyname_buf[keyname_len] = 0; | |
| 29 | ||
| 30 | keylist = g_malloc0(sizeof(*keylist)); | |
| 31 | keylist->value = g_malloc0(sizeof(*keylist->value)); | |
| 32 | -- | |
| 33 | 2.4.3 | |
| 34 | === |