[Spice-devel] [PATCH spice-server v3 1/5] smartcard: Fix copying remaining request

Frediano Ziglio fziglio at redhat.com
Wed Oct 9 09:22:58 UTC 2019


Use memmove instead of memcpy as the buffer can overlap if the second
request if bigger than the first.
"buf_pos" points to the point of the buffer after we read, if we want
the first part of the next request is "buf_pos - remaining".
Same consideration setting "buf_pos" for the next iteration.

Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
---
 server/smartcard.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/smartcard.c b/server/smartcard.c
index 4c5bba07d..bf5e90520 100644
--- a/server/smartcard.c
+++ b/server/smartcard.c
@@ -150,9 +150,9 @@ static RedPipeItem *smartcard_read_msg_from_device(RedCharDevice *self,
         msg_to_client = smartcard_char_device_on_message_from_device(dev, vheader);
         remaining = dev->priv->buf_used - sizeof(VSCMsgHeader) - actual_length;
         if (remaining > 0) {
-            memcpy(dev->priv->buf, dev->priv->buf_pos, remaining);
+            memmove(dev->priv->buf, dev->priv->buf_pos - remaining, remaining);
         }
-        dev->priv->buf_pos = dev->priv->buf;
+        dev->priv->buf_pos = dev->priv->buf + remaining;
         dev->priv->buf_used = remaining;
         if (msg_to_client) {
             return &msg_to_client->base;
-- 
2.21.0



More information about the Spice-devel mailing list