[Spice-devel] [PATCH spice-server v2 2/2] worker: Fix potential sprintf overflow

Christophe Fergeau cfergeau at redhat.com
Thu Mar 21 09:28:45 UTC 2019 

On Wed, Mar 20, 2019 at 03:57:46PM +0000, Frediano Ziglio wrote:
> From: Christophe Fergeau <cfergeau at redhat.com>
> 
> If worker->qxl->id is bigger than 0x7ffffff (in other words, it's a
> negative signed int) then
> printf(worker_str, "display[%d]", worker->qxl->id);
> will need:
> 
> "display[]" -> 9 bytes
> %d -> 11 bytes
> 
> The trailing \0 will thus overflow our 20 bytes destination.
> As QXLInstance::id should be an unsigned int, this commit changes the
> format string to use %u. This also switches to snprintf.
> ---
>  server/red-worker.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/server/red-worker.c b/server/red-worker.c
> index 8051d1e4..50612aca 100644
> --- a/server/red-worker.c
> +++ b/server/red-worker.c
> @@ -1291,7 +1291,7 @@ RedWorker* red_worker_new(QXLInstance *qxl,
>      worker->zlib_glz_state = reds_get_zlib_glz_state(reds);
>      worker->driver_cap_monitors_config = 0;
>      char worker_str[SPICE_STAT_NODE_NAME_MAX];
> -    sprintf(worker_str, "display[%d]", worker->qxl->id);
> +    snprintf(worker_str, sizeof(worker_str), "display[%u]", (unsigned int)worker->qxl->id);

I'd still add a &0xff at the end to make it explicit that we expect a
uint8_t. It's a patch I wrote, so no further comments ;)

Christophe

>      stat_init_node(&worker->stat, reds, NULL, worker_str, TRUE);
>      stat_init_counter(&worker->wakeup_counter, reds, &worker->stat, "wakeups", TRUE);
>      stat_init_counter(&worker->command_counter, reds, &worker->stat, "commands", TRUE);
> -- 
> 2.20.1
> 
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/spice-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/spice-devel/attachments/20190321/63756184/attachment.sig>

More information about the Spice-devel mailing list