[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen master] tools/xenstored: Fix off-by-one in dump_state_nodes()

commit c85610a3224a89159284f082c8c3dfb842c070fb
Author:     Julien Grall <jgrall@xxxxxxxxxx>
AuthorDate: Thu Jul 29 10:34:20 2021 +0100
Commit:     Ian Jackson <iwj@xxxxxxxxxxxxxx>
CommitDate: Fri Jul 30 11:02:35 2021 +0100

    tools/xenstored: Fix off-by-one in dump_state_nodes()
    
    The maximum path length supported by Xenstored protocol is
    XENSTORE_ABS_PATH_MAX (i.e 3072). This doesn't take into account the
    NUL at the end of the path.
    
    However, the code to dump the nodes will allocate a buffer
    of XENSTORE_ABS_PATH. As a result it may not be possible to live-update
    if there is a node name of XENSTORE_ABS_PATH.
    
    Fix it by allocating a buffer of XENSTORE_ABS_PATH_MAX + 1 characters.
    
    Take the opportunity to pass the max length of the buffer as a
    parameter of dump_state_node_tree(). This will be clearer that the
    check in the function is linked to the allocation in dump_state_nodes().
    
    Signed-off-by: Julien Grall <jgrall@xxxxxxxxxx>
    Reviewed-by: Juergen Gross <jgross@xxxxxxxx>
---
 tools/xenstore/xenstored_core.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
index 16c856730c..0d4c73d6e2 100644
--- a/tools/xenstore/xenstored_core.c
+++ b/tools/xenstore/xenstored_core.c
@@ -2574,7 +2574,8 @@ const char *dump_state_node_perms(FILE *fp, const struct 
xs_permissions *perms,
        return NULL;
 }
 
-static const char *dump_state_node_tree(FILE *fp, char *path)
+static const char *dump_state_node_tree(FILE *fp, char *path,
+                                       unsigned int path_max_len)
 {
        unsigned int pathlen, childlen, p = 0;
        struct xs_state_record_header head;
@@ -2642,10 +2643,10 @@ static const char *dump_state_node_tree(FILE *fp, char 
*path)
        }
        while (p < hdr->childlen) {
                childlen = strlen(child) + 1;
-               if (pathlen + childlen > XENSTORE_ABS_PATH_MAX)
+               if (pathlen + childlen > path_max_len)
                        return "Dump node path length error";
                strcpy(path + pathlen, child);
-               ret = dump_state_node_tree(fp, path);
+               ret = dump_state_node_tree(fp, path, path_max_len);
                if (ret)
                        return ret;
                p += childlen;
@@ -2661,13 +2662,13 @@ const char *dump_state_nodes(FILE *fp, const void *ctx)
 {
        char *path;
 
-       path = talloc_size(ctx, XENSTORE_ABS_PATH_MAX);
+       path = talloc_size(ctx, XENSTORE_ABS_PATH_MAX + 1);
        if (!path)
                return "Path buffer allocation error";
 
        strcpy(path, "/");
 
-       return dump_state_node_tree(fp, path);
+       return dump_state_node_tree(fp, path, XENSTORE_ABS_PATH_MAX + 1);
 }
 
 void read_state_global(const void *ctx, const void *state)
--
generated by git-patchbot for /home/xen/git/xen.git#master

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.