[Virtio-fs] [PATCH v3 5/5] tools/virtiofsd: xattr name mappings: Simple 'map'

Tue Oct 20 10:09:22 UTC 2020

On Wed, Oct 14, 2020 at 07:02:09PM +0100, Dr. David Alan Gilbert (git) wrote:
> +static XattrMapEntry *parse_xattrmap_map(const char *rule,
> +                                         XattrMapEntry *map,
> +                                         size_t *nentries)
> +{
> +    char sep = *rule++;
> +    const char *tmp;
> +    char *key;
> +    char *prefix;
> +    XattrMapEntry tmp_entry;
> +
> +    /* At start of 'key' field */
> +    tmp = strchr(rule, sep);

Missing sep == '\0' check. The strchr(3) man page says:

  The terminating null byte is considered part of the string, so that if
  c is specified as '\0', these functions return a pointer to the
  terminator.

So the code in this patch will eventually access beyond the end of the
string:

  rule = tmp + 1; <-- tmp is already at the NUL terminator
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/virtio-fs/attachments/20201020/b54f0261/attachment.sig>