[Libguestfs] [PATCH libnbd 5/5] lib/connect: Avoid segfault for zero-length argv
Eric Blake
eblake at redhat.com
Tue Sep 27 18:36:35 UTC 2022
On Tue, Sep 27, 2022 at 03:46:21PM +0100, Richard W.M. Jones wrote:
> Eric found that passing a zero length array to nbd_connect_command or
> nbd_connect_systemd_socket_activation results in a segfault. This can
> be triggered through Python as follows:
>
> $ nbdsh -c 'h.connect_command([])'
> nbdsh: generator/states-connect.c:247: enter_STATE_CONNECT_COMMAND_START: Assertion `h->argv.ptr[0]' failed.
> Aborted (core dumped)
>
> Reported-by: Eric Blake
> ---
> lib/connect.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/lib/connect.c b/lib/connect.c
> index 5008063034..629f35db7c 100644
> --- a/lib/connect.c
> +++ b/lib/connect.c
> @@ -251,6 +251,11 @@ nbd_unlocked_aio_connect_socket (struct nbd_handle *h, int sock)
> int
> nbd_unlocked_aio_connect_command (struct nbd_handle *h, char **argv)
> {
> + if (argv[0] == NULL) {
> + set_error (EINVAL, "argv parameter must have at least 1 element");
> + return -1;
> + }
> +
This is basically half of my v3 1/18 patch - the part that was
noncontroversial. Comparing my version to yours, I picked a different
error message:
nbdsh: command line script failed: nbd_connect_command: missing command name in argv list: Invalid argument
and centralized things into a single helper function in utils.c instead of open-coding it at each affected nbd*_connect_* command.
> if (nbd_internal_set_argv (&h->argv, argv) == -1) {
> set_error (errno, "realloc");
> return -1;
> @@ -263,6 +268,11 @@ int
> nbd_unlocked_aio_connect_systemd_socket_activation (struct nbd_handle *h,
> char **argv)
> {
> + if (argv[0] == NULL) {
> + set_error (EINVAL, "argv parameter must have at least 1 element");
> + return -1;
> + }
> +
> if (nbd_internal_set_argv (&h->argv, argv) == -1) {
> set_error (errno, "realloc");
> return -1;
> --
> 2.37.0.rc2
>
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
More information about the Libguestfs
mailing list