[libvirt] [PATCH v2 python 2/2] add check for pycpumap length

Peter Krempa pkrempa at redhat.com
Tue Nov 1 04:17:25 UTC 2016 

In subject:

"Don't overrun buffer when converting cpumap" perhaps? That would IMHO
explain the patch a bit more when looking at shortlog.

On Fri, Oct 28, 2016 at 13:41:10 +0300, Konstantin Neumoin wrote:
> If we pass large(more than cpunum) cpu mask to any libvirt_virDomainPin*
> function, it could leads to crash. So we have to check tuple size in
> virPyCpuMapToChar and ignore extra tuple members.
> 
> Signed-off-by: Konstantin Neumoin <kneumoin at virtuozzo.com>
> ---
>  libvirt-utils.c | 9 ++++++---
>  1 file changed, 6 insertions(+), 3 deletions(-)
> 
> diff --git a/libvirt-utils.c b/libvirt-utils.c
> index aaf4bea..3fc0fdd 100644
> --- a/libvirt-utils.c
> +++ b/libvirt-utils.c
> @@ -589,7 +589,8 @@ virPyDictToTypedParams(PyObject *dict,
>  
>  
>  /* virPyCpuMapToChar
> - * @cpunum: the number of cpus
> + * @cpunum: the number of cpus, only this first elements make sense,
> + * so others will be ignored(filled by zeros).

So this sentence belongs to the previous patch and I'd put it below into
the text explaining how this variable is treated.


>   * @pycpumap: source Py cpu map
>   * @cpumapptr: destination cpu map
>   * @cpumaplen: destination cpu map length
> @@ -604,7 +605,7 @@ virPyCpuMapToChar(int cpunum,
>                    unsigned char **cpumapptr,
>                    int *cpumaplen)
>  {
> -    int tuple_size;
> +    int tuple_size, rel_cpumaplen;
>      size_t i;
>      int i_retval = -1;
>      *cpumapptr = NULL;
> @@ -624,7 +625,9 @@ virPyCpuMapToChar(int cpunum,
>          goto exit;
>      }
>  
> -    for (i = 0; i < tuple_size; i++) {
> +    rel_cpumaplen = MIN(cpunum, tuple_size);
> +
> +    for (i = 0; i < rel_cpumaplen; i++) {

You can avoid the temporary variable by checking both tuple_size and
cpumaplen in the condition.

>          PyObject *flag = PyTuple_GetItem(pycpumap, i);
>          bool b;

Not visible in the context is the second for loop that clears the rest
of the bits from the tuple which exceed "cpumap". This is not necessary
any more since you now fill only the first elements.

Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20161101/bae35315/attachment-0001.sig>

More information about the libvir-list mailing list