[Libguestfs] [PATCH] daemon: write-file: Check range of size parameter (RHBZ#597135).

Richard W.M. Jones rjones at redhat.com
Tue Jun 1 15:21:17 UTC 2010 

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming blog: http://rwmj.wordpress.com
Fedora now supports 80 OCaml packages (the OPEN alternative to F#)
http://cocan.org/getting_started_with_ocaml_on_red_hat_and_fedora
-------------- next part --------------
>From 256f39edaac0c83eb428c8c212586ebd750cbfc2 Mon Sep 17 00:00:00 2001
From: Richard Jones <rjones at redhat.com>
Date: Tue, 1 Jun 2010 16:18:53 +0100
Subject: [PATCH 2/2] daemon: write-file: Check range of size parameter (RHBZ#597135).

This also adds a regression test.
---
 daemon/file.c    |   23 ++++++++++++++++++++++-
 src/generator.ml |    4 +++-
 2 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/daemon/file.c b/daemon/file.c
index aca1caa..7600064 100644
--- a/daemon/file.c
+++ b/daemon/file.c
@@ -288,8 +288,29 @@ do_write_file (const char *path, const char *content, int size)
 {
   int fd;
 
+  /* This call is deprecated, and it has a broken interface.  New code
+   * should use the 'guestfs_write' call instead.  Because we used an
+   * XDR string type, 'content' cannot contain ASCII NUL and 'size'
+   * must never be longer than the string.  We must check this to
+   * ensure random stuff from XDR or daemon memory isn't written to
+   * the file (RHBZ#597135).
+   */
+  if (size < 0) {
+    reply_with_error ("size cannot be negative");
+    return -1;
+  }
+
+  /* Note content_len must be small because of the limits on protocol
+   * message size.
+   */
+  int content_len = (int) strlen (content);
+
   if (size == 0)
-    size = strlen (content);
+    size = content_len;
+  else if (size > content_len) {
+    reply_with_error ("size parameter is larger than string content");
+    return -1;
+  }
 
   CHROOT_IN;
   fd = open (path, O_WRONLY | O_TRUNC | O_CREAT | O_NOCTTY, 0666);
diff --git a/src/generator.ml b/src/generator.ml
index ff772f5..2c33049 100755
--- a/src/generator.ml
+++ b/src/generator.ml
@@ -1543,7 +1543,9 @@ See also: C<guestfs_sfdisk_l>, C<guestfs_sfdisk_N>,
 C<guestfs_part_init>");
 
   ("write_file", (RErr, [Pathname "path"; String "content"; Int "size"]), 44, [ProtocolLimitWarning; DeprecatedBy "write"],
-   [],
+   (* Regression test for RHBZ#597135. *)
+   [InitBasicFS, Always, TestLastFail
+      [["write_file"; "/new"; "abc"; "10000"]]],
    "create a file",
    "\
 This call creates a file called C<path>.  The contents of the
-- 
1.6.6.1

More information about the Libguestfs mailing list