[Spice-commits] server/stat-file.c
Frediano Ziglio
fziglio at kemper.freedesktop.org
Fri Feb 3 09:49:09 UTC 2017
server/stat-file.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
New commits:
commit a29afab02892b5c6dc12ef7e400507ba3fac3825
Author: Frediano Ziglio <fziglio at redhat.com>
Date: Thu Feb 2 12:40:16 2017 +0000
stat-file: Fix off by one buffer overflow
The stat file contains an array of max_nodes elements
so we must stay in [0, max_nodes) range, not [0, max_nodes].
There are no spice path that lead to these overflows but
it's better to have them fixed before creating one.
Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
Acked-by: Jonathon Jongsma <jjongsma at redhat.com>
diff --git a/server/stat-file.c b/server/stat-file.c
index c23f4f5..3fe3890 100644
--- a/server/stat-file.c
+++ b/server/stat-file.c
@@ -168,7 +168,7 @@ stat_file_add_node(RedStatFile *stat_file, StatNodeRef parent, const char *name,
}
stat_file->stat->generation++;
stat_file->stat->num_of_nodes++;
- for (ref = 0; ref <= stat_file->max_nodes; ref++) {
+ for (ref = 0; ref < stat_file->max_nodes; ref++) {
node = &stat_file->stat->nodes[ref];
if (!(node->flags & SPICE_STAT_NODE_FLAG_ENABLED)) {
break;
@@ -211,7 +211,7 @@ static void stat_file_remove(RedStatFile *stat_file, SpiceStatNode *node)
/* children will be orphans */
if (stat_file->stat->root_index == node_ref) {
stat_file->stat->root_index = node_next;
- } else for (ref = 0; ref <= stat_file->max_nodes; ref++) {
+ } else for (ref = 0; ref < stat_file->max_nodes; ref++) {
node = &stat_file->stat->nodes[ref];
if (!(node->flags & SPICE_STAT_NODE_FLAG_ENABLED)) {
continue;
More information about the Spice-commits
mailing list