[libvirt] [PATCH 4/5] phyp: Fix too small buffer allocation in phypAttachDevice

Daniel Veillard veillard at redhat.com
Mon Apr 11 03:06:03 UTC 2011 

On Sat, Apr 09, 2011 at 11:59:10AM +0200, Matthias Bolte wrote:
> sizeof(domain->name) is the wrong thing. Instead of using strdup here
> rewrite escape_specialcharacters to allocate the buffer itself.
> 
> Add a contains_specialcharacters to be used in phypOpen, as phypOpen is
> not interested in the escaped version.
> ---
>  src/phyp/phyp_driver.c |   90 ++++++++++++++++++++++++++++++++---------------
>  1 files changed, 61 insertions(+), 29 deletions(-)
> 
> diff --git a/src/phyp/phyp_driver.c b/src/phyp/phyp_driver.c
> index 24165fb..226946d 100644
> --- a/src/phyp/phyp_driver.c
> +++ b/src/phyp/phyp_driver.c
> @@ -891,14 +891,63 @@ phypUUIDTable_Free(uuid_tablePtr uuid_table)
>      VIR_FREE(uuid_table);
>  }
>  
> -static int
> -escape_specialcharacters(char *src, char *dst, size_t dstlen)
> +static bool
> +contains_specialcharacters(const char *src)
>  {
>      size_t len = strlen(src);
> -    char temp_buffer[len];
> -    unsigned int i = 0, j = 0;
> +    size_t i = 0;
> +
>      if (len == 0)
> -        return -1;
> +        return false;
> +
> +    for (i = 0; i < len; i++) {
> +        switch (src[i]) {
> +            case '&':
> +            case ';':
> +            case '`':
> +            case '@':
> +            case '"':
> +            case '|':
> +            case '*':
> +            case '?':
> +            case '~':
> +            case '<':
> +            case '>':
> +            case '^':
> +            case '(':
> +            case ')':
> +            case '[':
> +            case ']':
> +            case '{':
> +            case '}':
> +            case '$':
> +            case '%':
> +            case '#':
> +            case '\\':
> +            case '\n':
> +            case '\r':
> +            case '\t':
> +                return true;
> +        }
> +    }
> +
> +    return false;
> +}
> +
> +static char *
> +escape_specialcharacters(const char *src)
> +{
> +    size_t len = strlen(src);
> +    size_t i = 0, j = 0;
> +    char *dst;
> +
> +    if (len == 0)
> +        return NULL;
> +
> +    if (VIR_ALLOC_N(dst, len + 1) < 0) {
> +        virReportOOMError();
> +        return NULL;
> +    }
>  
>      for (i = 0; i < len; i++) {
>          switch (src[i]) {
> @@ -929,16 +978,14 @@ escape_specialcharacters(char *src, char *dst, size_t dstlen)
>              case '\t':
>                  continue;
>              default:
> -                temp_buffer[j] = src[i];
> +                dst[j] = src[i];
>                  j++;
>          }
>      }
> -    temp_buffer[j] = '\0';
>  
> -    if (virStrcpy(dst, temp_buffer, dstlen) == NULL)
> -        return -1;
> +    dst[j] = '\0';
>  
> -    return 0;
> +    return dst;
>  }
>  
>  static LIBSSH2_SESSION *
> @@ -1121,8 +1168,6 @@ phypOpen(virConnectPtr conn,
>  {
>      LIBSSH2_SESSION *session = NULL;
>      ConnectionData *connection_data = NULL;
> -    char *string = NULL;
> -    size_t len = 0;
>      int internal_socket;
>      uuid_tablePtr uuid_table = NULL;
>      phyp_driverPtr phyp_driver = NULL;
> @@ -1157,13 +1202,6 @@ phypOpen(virConnectPtr conn,
>      }
>  
>      if (conn->uri->path) {
> -        len = strlen(conn->uri->path) + 1;
> -
> -        if (VIR_ALLOC_N(string, len) < 0) {
> -            virReportOOMError();
> -            goto failure;
> -        }
> -
>          /* need to shift one byte in order to remove the first "/" of URI component */
>          if (conn->uri->path[0] == '/')
>              managed_system = strdup(conn->uri->path + 1);
> @@ -1183,7 +1221,7 @@ phypOpen(virConnectPtr conn,
>          if (char_ptr)
>              *char_ptr = '\0';
>  
> -        if (escape_specialcharacters(conn->uri->path, string, len) == -1) {
> +        if (contains_specialcharacters(conn->uri->path)) {
>              PHYP_ERROR(VIR_ERR_INTERNAL_ERROR,
>                         "%s",
>                         _("Error parsing 'path'. Invalid characters."));
> @@ -1242,7 +1280,6 @@ phypOpen(virConnectPtr conn,
>      }
>  
>      VIR_FREE(connection_data);
> -    VIR_FREE(string);
>  
>      return VIR_DRV_OPEN_ERROR;
>  }
> @@ -1947,15 +1984,10 @@ phypAttachDevice(virDomainPtr domain, const char *xml)
>      virBuffer buf = VIR_BUFFER_INITIALIZER;
>      char *domain_name = NULL;
>  
> -    if (VIR_ALLOC_N(domain_name, sizeof(domain->name)) < 0) {
> -        virReportOOMError();
> -        goto err;
> -    }
> +    domain_name = escape_specialcharacters(domain->name);
>  
> -    if (escape_specialcharacters
> -        (domain->name, domain_name, strlen(domain->name)) == -1) {
> -        virReportOOMError();
> -        goto err;
> +    if (domain_name == NULL) {
> +        goto cleanup;
>      }
>  
>      def->os.type = strdup("aix");

  ACK, we just need to make sure contains_specialcharacters() and
escape_specialcharacters() don't diverge on the charater set. Maybe
add a comment in escape_specialcharacters() to this effect.

Daniel

-- 
Daniel Veillard      | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
daniel at veillard.com  | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library  http://libvirt.org/

More information about the libvir-list mailing list