[Spice-devel] [spice-common 3/8] coverity: avoid out of bounds access
Christophe Fergeau
cfergeau at redhat.com
Mon Apr 4 08:29:59 UTC 2016
On Mon, Apr 04, 2016 at 10:03:34AM +0200, Fabiano FidĂȘncio wrote:
> We are allocating insufficient memory for the terminating null of the
> string.
> ---
> common/ssl_verify.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/common/ssl_verify.c b/common/ssl_verify.c
> index 601252e..4292ddf 100644
> --- a/common/ssl_verify.c
> +++ b/common/ssl_verify.c
> @@ -283,8 +283,8 @@ static X509_NAME* subject_to_x509_name(const char *subject, int *nentries)
> spice_return_val_if_fail(subject != NULL, NULL);
> spice_return_val_if_fail(nentries != NULL, NULL);
>
> - key = (char*)alloca(strlen(subject));
> - val = (char*)alloca(strlen(subject));
> + key = (char*)alloca(strlen(subject) + 1);
> + val = (char*)alloca(strlen(subject) + 1);
> in_subject = X509_NAME_new();
Can try to write too many chars to the string in practice? We expect the
string to contain a '=', so key/state will be smaller than subject. If
there is no '=' in the string, we don't try to add a '\0' to 'key' (I
did not check the 'val' code path).
Christophe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/spice-devel/attachments/20160404/8d461ffe/attachment.sig>
More information about the Spice-devel
mailing list