[Spice-commits] server/stat-file.c

Frediano Ziglio fziglio at kemper.freedesktop.org
Fri Feb 3 09:49:09 UTC 2017


 server/stat-file.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

New commits:
commit a29afab02892b5c6dc12ef7e400507ba3fac3825
Author: Frediano Ziglio <fziglio at redhat.com>
Date:   Thu Feb 2 12:40:16 2017 +0000

    stat-file: Fix off by one buffer overflow
    
    The stat file contains an array of max_nodes elements
    so we must stay in [0, max_nodes) range, not [0, max_nodes].
    
    There are no spice path that lead to these overflows but
    it's better to have them fixed before creating one.
    
    Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
    Acked-by: Jonathon Jongsma <jjongsma at redhat.com>

diff --git a/server/stat-file.c b/server/stat-file.c
index c23f4f5..3fe3890 100644
--- a/server/stat-file.c
+++ b/server/stat-file.c
@@ -168,7 +168,7 @@ stat_file_add_node(RedStatFile *stat_file, StatNodeRef parent, const char *name,
     }
     stat_file->stat->generation++;
     stat_file->stat->num_of_nodes++;
-    for (ref = 0; ref <= stat_file->max_nodes; ref++) {
+    for (ref = 0; ref < stat_file->max_nodes; ref++) {
         node = &stat_file->stat->nodes[ref];
         if (!(node->flags & SPICE_STAT_NODE_FLAG_ENABLED)) {
             break;
@@ -211,7 +211,7 @@ static void stat_file_remove(RedStatFile *stat_file, SpiceStatNode *node)
     /* children will be orphans */
     if (stat_file->stat->root_index == node_ref) {
         stat_file->stat->root_index = node_next;
-    } else for (ref = 0; ref <= stat_file->max_nodes; ref++) {
+    } else for (ref = 0; ref < stat_file->max_nodes; ref++) {
         node = &stat_file->stat->nodes[ref];
         if (!(node->flags & SPICE_STAT_NODE_FLAG_ENABLED)) {
             continue;


More information about the Spice-commits mailing list