|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH] libxl: make sure buffer is null-terminated in libxl_read_file_contents
On XenServer 7.1.1, we start a vm with XAPI but attach a block device with xl.
We create an empty json config for the vm with the content "{}\n" and then
run 'xl block-attach':
# xl block-attach 1 phy:/dev/loop0 xvdz w
libxl: error: libxl_json.c:950:libxl__json_parse: yajl error: parse error:
trailing garbage
{} K]
(right here) ------^
libxl: error: libxl_json.c:1053:libxl__object_from_json: unable to generate
libxl__json_object from JSON representation of libxl_domain_config.
libxl: error: libxl.c:1995:device_addrm_aocomplete: unable to add device
libxl_device_disk_add failed.
After investigation, we found the buffer returned from libxl_read_file_contents
is not null-terminated. But later in libxl__object_from_json, the buffer is
expected to
be null-terminated. So parsing may exceeded the end of file and get in to
uninisialized
momery area.
Signed-off-by: Robin Lee <robinlee.sysu@xxxxxxxxx>
---
tools/libxl/libxl_utils.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tools/libxl/libxl_utils.c b/tools/libxl/libxl_utils.c
index 507ee56..51134a7 100644
--- a/tools/libxl/libxl_utils.c
+++ b/tools/libxl/libxl_utils.c
@@ -362,8 +362,9 @@ int libxl_read_file_contents(libxl_ctx *ctx, const char
*filename,
datalen = stab.st_size;
if (stab.st_size && data_r) {
- data = malloc(datalen);
+ data = malloc(((size_t)datalen)+1);
if (!data) goto xe;
+ data[datalen] = 0; /* make sure buffer null-terminated */
rs = fread(data, 1, datalen, f);
if (rs != datalen) {
--
1.8.3.1
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |