[Libguestfs] [PATCH libnbd 5/5] lib/connect: Avoid segfault for zero-length argv

Eric Blake eblake at redhat.com
Tue Sep 27 18:36:35 UTC 2022 

On Tue, Sep 27, 2022 at 03:46:21PM +0100, Richard W.M. Jones wrote:
> Eric found that passing a zero length array to nbd_connect_command or
> nbd_connect_systemd_socket_activation results in a segfault.  This can
> be triggered through Python as follows:
> 
> $ nbdsh -c 'h.connect_command([])'
> nbdsh: generator/states-connect.c:247: enter_STATE_CONNECT_COMMAND_START: Assertion `h->argv.ptr[0]' failed.
> Aborted (core dumped)
> 
> Reported-by: Eric Blake
> ---
>  lib/connect.c | 10 ++++++++++
>  1 file changed, 10 insertions(+)
> 
> diff --git a/lib/connect.c b/lib/connect.c
> index 5008063034..629f35db7c 100644
> --- a/lib/connect.c
> +++ b/lib/connect.c
> @@ -251,6 +251,11 @@ nbd_unlocked_aio_connect_socket (struct nbd_handle *h, int sock)
>  int
>  nbd_unlocked_aio_connect_command (struct nbd_handle *h, char **argv)
>  {
> +  if (argv[0] == NULL) {
> +    set_error (EINVAL, "argv parameter must have at least 1 element");
> +    return -1;
> +  }
> +

This is basically half of my v3 1/18 patch - the part that was
noncontroversial.  Comparing my version to yours, I picked a different
error message:

    nbdsh: command line script failed: nbd_connect_command: missing command name in argv list: Invalid argument

and centralized things into a single helper function in utils.c instead of open-coding it at each affected nbd*_connect_* command.

>    if (nbd_internal_set_argv (&h->argv, argv) == -1) {
>      set_error (errno, "realloc");
>      return -1;
> @@ -263,6 +268,11 @@ int
>  nbd_unlocked_aio_connect_systemd_socket_activation (struct nbd_handle *h,
>                                                      char **argv)
>  {
> +  if (argv[0] == NULL) {
> +    set_error (EINVAL, "argv parameter must have at least 1 element");
> +    return -1;
> +  }
> +
>    if (nbd_internal_set_argv (&h->argv, argv) == -1) {
>      set_error (errno, "realloc");
>      return -1;
> -- 
> 2.37.0.rc2
> 

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org

More information about the Libguestfs mailing list