|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH] tools/xenstore: avoid unterminated string in xs_directory_part()
On Tue, Dec 06, 2016 at 07:41:54AM +0100, Juergen Gross wrote:
> Commit d4016288ab1f ("xenstore: support XS_DIRECTORY_PART in
> libxenstore") introduced a theoretical bug: the generation count of
> the read node is transferred via strncpy without forcing a NUL byte
> at the end. Correct this.
>
> Signed-off-by: Juergen Gross <jgross@xxxxxxxx>
Acked-by: Wei Liu <wei.liu2@xxxxxxxxxx>
> ---
> tools/xenstore/xs.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/tools/xenstore/xs.c b/tools/xenstore/xs.c
> index e462a20..3ce7157 100644
> --- a/tools/xenstore/xs.c
> +++ b/tools/xenstore/xs.c
> @@ -589,7 +589,7 @@ static char **xs_directory_part(struct xs_handle *h,
> xs_transaction_t t,
> struct iovec iovec[2];
> char *result = NULL, *strings = NULL;
>
> - gen[0] = 0;
> + memset(gen, 0, sizeof(gen));
> iovec[0].iov_base = (void *)path;
> iovec[0].iov_len = strlen(path) + 1;
>
> @@ -616,7 +616,7 @@ static char **xs_directory_part(struct xs_handle *h,
> xs_transaction_t t,
> continue;
> }
> } else
> - strncpy(gen, result, sizeof(gen));
> + strncpy(gen, result, sizeof(gen) - 1);
>
> result_len -= strlen(result) + 1;
> strings = realloc(strings, off + result_len);
> --
> 2.10.2
>
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |