[Libguestfs] Re: [PATCH libguestfs] sfdisk: guard against buffer overflow

Jim Meyering jim at meyering.net
Wed Aug 12 21:59:26 UTC 2009 

Richard W.M. Jones wrote:
> On Wed, Aug 12, 2009 at 09:19:37PM +0200, Jim Meyering wrote:
>> Jim Meyering wrote:
>> > Richard W.M. Jones wrote:
>> >> On Wed, Aug 12, 2009 at 06:52:40PM +0200, Jim Meyering wrote:
>> >>> From: Jim Meyering <meyering at redhat.com>
>> >>>
>> >>> ---
>> >>>  daemon/daemon.h |    2 +-
>> >>>  daemon/sfdisk.c |    2 +-
>> >>>  2 files changed, 2 insertions(+), 2 deletions(-)
>> >>>
>> >>> diff --git a/daemon/daemon.h b/daemon/daemon.h
>> >>> index 166f3bf..bebc86f 100644
>> >>> --- a/daemon/daemon.h
>> >>> +++ b/daemon/daemon.h
>> >>> @@ -174,7 +174,7 @@ extern void reply (xdrproc_t xdrp, char *ret);
>> >>>  #define NEED_ROOT_OR_IS_DEVICE(path,errcode) \
>> >>>    do {									\
>> >>>      if (strncmp ((path), "/dev/", 5) == 0)				\
>> >>> -      IS_DEVICE ((path),(errcode));					\
>> >>> +      RESOLVE_DEVICE ((path), return errcode);				\
>> >>>      else {								\
>> >>>        NEED_ROOT ((errcode));						\
>> >>>        ABS_PATH ((path),(errcode));					\
>> >>> diff --git a/daemon/sfdisk.c b/daemon/sfdisk.c
>> >>> index 693e89a..cf62f51 100644
>> >>> --- a/daemon/sfdisk.c
>> >>> +++ b/daemon/sfdisk.c
>> >>> @@ -53,7 +53,7 @@ sfdisk (char *device, int n, int cyls, int heads, int sectors,
>> >>>    if (extra_flag)
>> >>>      sprintf (buf + strlen (buf), " %s", extra_flag);
>> >>>
>> >>> -  /* Safe because of IS_DEVICE above: */
>> >>> +  /* Safe because of RESOLVES_DEVICE above: */
>> >
>> > This stray "S" is a typo I'd started to fix when I realized that the
>> > IS_DEVICE (renamed to RESOLVE_DEVICE) is now, in the final patch, gone.
>> >
>> > I'll rebase -i to fix my typo before committing.
>> > I'll also write a separate commit to add a check for
>> > buffer overflow.
>> >
>> >>>    sprintf (buf + strlen (buf), " %s", device);
>> 
>> Here's the promised patch
>> 
>> >From 8aca97fc1e7c0513c2781e3443c51b88876aaa6c Mon Sep 17 00:00:00 2001
>> From: Jim Meyering <meyering at redhat.com>
>> Date: Wed, 12 Aug 2009 21:16:30 +0200
>> Subject: [PATCH libguestfs] sfdisk: guard against buffer overflow
>> 
>> * daemon/sfdisk.c (sfdisk): Don't let outrageous "extra_flag"
>> or "device" strings overflow a fixed-size buffer.
>> ---
>>  daemon/sfdisk.c |   19 ++++++++++++++++---
>>  1 files changed, 16 insertions(+), 3 deletions(-)
>> 
>> diff --git a/daemon/sfdisk.c b/daemon/sfdisk.c
>> index 1ec0c85..8ef46e5 100644
>> --- a/daemon/sfdisk.c
>> +++ b/daemon/sfdisk.c
>> @@ -48,10 +48,23 @@ sfdisk (const char *device, int n, int cyls, int heads, int sectors,
>>      sprintf (buf + strlen (buf), " -H %d", heads);
>>    if (sectors)
>>      sprintf (buf + strlen (buf), " -S %d", sectors);
>> -  if (extra_flag)
>> -    sprintf (buf + strlen (buf), " %s", extra_flag);
>> 
>> -  /* Safe because of RESOLVE_DEVICE above: */
>> +  /* The above are all guaranteed to fit in the fixed-size buffer.
>> +     However, extra_flag and device have no restrictions,
>> +     so we must check.  */
>> +
>> +  if (extra_flag) {
>> +    if (strlen (buf) + 1 + strlen (extra_flag) >= sizeof buf) {
>> +      reply_with_error ("internal buffer overflow: sfdisk extra_flag too long");
>> +      return -1;
>> +    }
>> +    snprintf (buf + strlen (buf), " %s", extra_flag);

It pains me to admit it, but a typo snuck in there.
That should be:

    sprintf (buf + strlen (buf), " %s", extra_flag);

and will be in what I push tomorrow morning.
[I missed the warning, but "make check" caught it.
 It would have better if -Werror could have been used.  Coming soon. ]

More information about the Libguestfs mailing list