[Spice-devel] [spice-common 3/8] coverity: avoid out of bounds access
Fabiano FidĂȘncio
fidencio at redhat.com
Mon Apr 25 07:06:07 UTC 2016
On Mon, Apr 4, 2016 at 10:29 AM, Christophe Fergeau <cfergeau at redhat.com> wrote:
> On Mon, Apr 04, 2016 at 10:03:34AM +0200, Fabiano FidĂȘncio wrote:
>> We are allocating insufficient memory for the terminating null of the
>> string.
>> ---
>> common/ssl_verify.c | 4 ++--
>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/common/ssl_verify.c b/common/ssl_verify.c
>> index 601252e..4292ddf 100644
>> --- a/common/ssl_verify.c
>> +++ b/common/ssl_verify.c
>> @@ -283,8 +283,8 @@ static X509_NAME* subject_to_x509_name(const char *subject, int *nentries)
>> spice_return_val_if_fail(subject != NULL, NULL);
>> spice_return_val_if_fail(nentries != NULL, NULL);
>>
>> - key = (char*)alloca(strlen(subject));
>> - val = (char*)alloca(strlen(subject));
>> + key = (char*)alloca(strlen(subject) + 1);
>> + val = (char*)alloca(strlen(subject) + 1);
>> in_subject = X509_NAME_new();
>
> Can try to write too many chars to the string in practice? We expect the
> string to contain a '=', so key/state will be smaller than subject. If
> there is no '=' in the string, we don't try to add a '\0' to 'key' (I
> did not check the 'val' code path).
Makes sense. I'll drop this patch.
>
> Christophe
More information about the Spice-devel
mailing list