[Spice-devel] [PATCH spice-server 1/2] stat-file: Fix off by one buffer overflow
Jonathon Jongsma
jjongsma at redhat.com
Thu Feb 2 16:56:29 UTC 2017
On Thu, 2017-02-02 at 10:52 -0600, Jonathon Jongsma wrote:
> Acked-by: Jonathon Jongsma <jjongsma at redhat.com>
>
> Out of curiosity, how did you find it? Just reading code?
Nevermind. I see that the next patch is addressing a compiler warning
in this code, so you were obviously looking closely at this code for
that reason.
>
>
>
> On Thu, 2017-02-02 at 12:46 +0000, Frediano Ziglio wrote:
> > The stat file contains an array of max_nodes elements
> > so we must stay in [0, max_nodes) range, not [0, max_nodes].
> >
> > There are no spice path that lead to these overflows but
> > it's better to have them fixed before creating one.
> >
> > Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
> > ---
> > server/stat-file.c | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/server/stat-file.c b/server/stat-file.c
> > index c23f4f5..3fe3890 100644
> > --- a/server/stat-file.c
> > +++ b/server/stat-file.c
> > @@ -168,7 +168,7 @@ stat_file_add_node(RedStatFile *stat_file,
> > StatNodeRef parent, const char *name,
> > }
> > stat_file->stat->generation++;
> > stat_file->stat->num_of_nodes++;
> > - for (ref = 0; ref <= stat_file->max_nodes; ref++) {
> > + for (ref = 0; ref < stat_file->max_nodes; ref++) {
> > node = &stat_file->stat->nodes[ref];
> > if (!(node->flags & SPICE_STAT_NODE_FLAG_ENABLED)) {
> > break;
> > @@ -211,7 +211,7 @@ static void stat_file_remove(RedStatFile
> > *stat_file, SpiceStatNode *node)
> > /* children will be orphans */
> > if (stat_file->stat->root_index == node_ref) {
> > stat_file->stat->root_index = node_next;
> > - } else for (ref = 0; ref <= stat_file->max_nodes; ref++) {
> > + } else for (ref = 0; ref < stat_file->max_nodes; ref++) {
> > node = &stat_file->stat->nodes[ref];
> > if (!(node->flags & SPICE_STAT_NODE_FLAG_ENABLED)) {
> > continue;
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/spice-devel
More information about the Spice-devel
mailing list